Craft Commerce has Stored XSS in Product Type Name
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.
Affected products
- ==>= 5.0.0, < 5.5.2
- ==>= 4.0.0-RC1, < 4.10.1
Matching in nixpkgs
pkgs.python312Packages.azure-mgmt-commerce
This is the Microsoft Azure Commerce Management Client Library
pkgs.python313Packages.azure-mgmt-commerce
This is the Microsoft Azure Commerce Management Client Library
pkgs.python314Packages.azure-mgmt-commerce
This is the Microsoft Azure Commerce Management Client Library
pkgs.python312Packages.mypy-boto3-marketplacecommerceanalytics
Type annotations for boto3 marketplacecommerceanalytics
-
nixos-25.11 -
- nixos-25.11-small boto3-marketplacecommerceanalytics-1.41.0
- nixpkgs-25.11-darwin boto3-marketplacecommerceanalytics-1.41.0
-
nixos-25.05 boto3-marketplacecommerceanalytics-1.38.0
- nixos-25.05-small boto3-marketplacecommerceanalytics-1.38.0
- nixpkgs-25.05-darwin boto3-marketplacecommerceanalytics-1.38.0
pkgs.python313Packages.mypy-boto3-marketplacecommerceanalytics
Type annotations for boto3 marketplacecommerceanalytics
-
nixos-unstable boto3-marketplacecommerceanalytics-1.42.3
- nixpkgs-unstable boto3-marketplacecommerceanalytics-1.42.3
- nixos-unstable-small boto3-marketplacecommerceanalytics-1.42.3
-
nixos-25.11 -
- nixos-25.11-small boto3-marketplacecommerceanalytics-1.41.0
- nixpkgs-25.11-darwin boto3-marketplacecommerceanalytics-1.41.0
-
nixos-25.05 boto3-marketplacecommerceanalytics-1.38.0
- nixos-25.05-small boto3-marketplacecommerceanalytics-1.38.0
- nixpkgs-25.05-darwin boto3-marketplacecommerceanalytics-1.38.0
pkgs.python314Packages.mypy-boto3-marketplacecommerceanalytics
Type annotations for boto3 marketplacecommerceanalytics
-
nixos-unstable boto3-marketplacecommerceanalytics-1.42.3
- nixpkgs-unstable boto3-marketplacecommerceanalytics-1.42.3
- nixos-unstable-small boto3-marketplacecommerceanalytics-1.42.3
pkgs.python312Packages.types-aiobotocore-marketplacecommerceanalytics
Type annotations for aiobotocore marketplacecommerceanalytics
pkgs.python313Packages.types-aiobotocore-marketplacecommerceanalytics
Type annotations for aiobotocore marketplacecommerceanalytics
Package maintainers
-
@mwilsoncoding Max Wilson <nixpkgs@maxwilson.dev>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@mbalatsko Maksym Balatsko <mbalatsko@gmail.com>