CVE-2023-33725: 
Java vulnerability analysis and mitigation

Broadleaf 5.x and 6.x (including 5.2.25-GA and 6.2.6-GA) was discovered to contain a cross-site scripting (XSS) vulnerability via a customer signup with a crafted email address. This vulnerability was fixed in version 6.2.6.1-GA (NVD, Burptrast).

The vulnerability exists in both the customer-facing storefront and admin interface of Broadleaf Commerce. An attacker can inject malicious JavaScript code through the email field during customer registration. The injected code persists in the database and executes when viewed in the admin interface. The vulnerability bypasses client-side validation and can be exploited by using URL-encoded payloads in the email field (Burptrast).

The vulnerability allows an attacker to execute arbitrary JavaScript code in the context of an admin user's browser session. When an admin views the customer list containing the malicious email address, the injected code can create a new admin account with full privileges, effectively allowing complete takeover of the e-commerce site (Burptrast).

Users should upgrade to Broadleaf version 6.2.6.1-GA or later which contains the fix. For those unable to upgrade immediately, the vulnerability can be mitigated by enabling Broadleaf's built-in XSS protections by setting: exploitProtection.xssEnabled=true, exploitProtection.xsrfEnabled=true, and blc.site.enable.xssWrapper=true (Burptrast).