CSRF to Stored XSS Leading to Privilege Escalation - responsible disclosure

[cx-alex-shleymovich]

Hi @thiennn, @hishamco,

I'm a security analyst at Checkmarx CxResearch group, a global software security company focused on promoting safer code and libraries.

We've discovered a stored CSRF vulnerability that leads to Stored XSS and would like to share a detailed report privately. We tried thienn@outlook.com but received no response.

Could you please provide a current email address for this disclosure?

Thank you in advance!

[hishamco]

Thanks for reporting this, let's wait for @thiennn, otherwise I will be on touch with you

[cx-alex-shleymovich]

Hey @hishamco, it’s been 9 days since we sent the report to @thiennn, and we haven’t heard back.
I’ll email the report to you directly at h**********7@yahoo.com

[hishamco]

Let me know once you send your email coz my Yahoo is crowded, or use my Hotmail instead

Thanks

[cx-alex-shleymovich]

Thank you, @hishamco. We sent you the report to the Hotmail address.

[cx-alex-shleymovich]

Hi @hishamco, can you please confirm receiving the email with the report?
If the email was received, can you please tell when you are intending to provide a fix for the issue?

We understand that SimplCommerce may not have a formal security disclosure pipeline, which is exactly why we'd like to help establish proper documentation for this vulnerability.

Checkmarx is a registered CNA, so we can handle the CVE assignment process completely free of charge - no costs or fees involved whatsoever. Our goal is to support the open-source community by ensuring security vulnerabilities are properly documented and tracked. This helps users make informed decisions about their dependencies and enables security tools to identify known issues.

[hishamco]

@cx-alex-shleymovich, I replied to your email on the same day. I was waiting for your reply

[cx-alex-shleymovich]

Sorry, @hishamco missed the email. Replied back to you

[hishamco]

Me too :) let's take action