Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Affected products
- ==>= 5.0.0, < 5.5.2
- ==>= 4.0.0-RC1, < 4.10.1
Matching in nixpkgs
pkgs.python312Packages.azure-mgmt-commerce
This is the Microsoft Azure Commerce Management Client Library
pkgs.python313Packages.azure-mgmt-commerce
This is the Microsoft Azure Commerce Management Client Library
pkgs.python314Packages.azure-mgmt-commerce
This is the Microsoft Azure Commerce Management Client Library
pkgs.python312Packages.mypy-boto3-marketplacecommerceanalytics
Type annotations for boto3 marketplacecommerceanalytics
-
nixos-25.11 -
- nixos-25.11-small boto3-marketplacecommerceanalytics-1.41.0
- nixpkgs-25.11-darwin boto3-marketplacecommerceanalytics-1.41.0
-
nixos-25.05 boto3-marketplacecommerceanalytics-1.38.0
- nixos-25.05-small boto3-marketplacecommerceanalytics-1.38.0
- nixpkgs-25.05-darwin boto3-marketplacecommerceanalytics-1.38.0
pkgs.python313Packages.mypy-boto3-marketplacecommerceanalytics
Type annotations for boto3 marketplacecommerceanalytics
-
nixos-unstable boto3-marketplacecommerceanalytics-1.42.3
- nixpkgs-unstable boto3-marketplacecommerceanalytics-1.42.3
- nixos-unstable-small boto3-marketplacecommerceanalytics-1.42.3
-
nixos-25.11 -
- nixos-25.11-small boto3-marketplacecommerceanalytics-1.41.0
- nixpkgs-25.11-darwin boto3-marketplacecommerceanalytics-1.41.0
-
nixos-25.05 boto3-marketplacecommerceanalytics-1.38.0
- nixos-25.05-small boto3-marketplacecommerceanalytics-1.38.0
- nixpkgs-25.05-darwin boto3-marketplacecommerceanalytics-1.38.0
pkgs.python314Packages.mypy-boto3-marketplacecommerceanalytics
Type annotations for boto3 marketplacecommerceanalytics
-
nixos-unstable boto3-marketplacecommerceanalytics-1.42.3
- nixpkgs-unstable boto3-marketplacecommerceanalytics-1.42.3
- nixos-unstable-small boto3-marketplacecommerceanalytics-1.42.3
pkgs.python312Packages.types-aiobotocore-marketplacecommerceanalytics
Type annotations for aiobotocore marketplacecommerceanalytics
pkgs.python313Packages.types-aiobotocore-marketplacecommerceanalytics
Type annotations for aiobotocore marketplacecommerceanalytics
Package maintainers
-
@mwilsoncoding Max Wilson <nixpkgs@maxwilson.dev>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@mbalatsko Maksym Balatsko <mbalatsko@gmail.com>