Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross Site Scripting Issue in PrestaShop Using File Upload Functionality #20306

Closed
p1nk15amak opened this issue Jul 23, 2020 · 3 comments
Closed
Labels
No change required Resolution: issue closed because expected as is

Comments

@p1nk15amak
Copy link

An issue is discovered in PrestaShop version 1.7.6.7 under the Catelog feature when using the file-upload functionality for uploading the Files for various products. This issue exists because it fails to implement file content checks and improperly handles the output, resulting in cross-site scripting attack that leads to cookie stealing or malicious actions.

Steps to Reproduce

  1. Go to Catelog feature
  2. Click on File component and add the details accordingly.
  3. Create a file with .html extension and enter the payload <script>alert('XSS!!');</script>within it. (Here its, uplod.html)
  4. Upload the file
  5. Login as customer and click on the file uploaded for the particular product.
  6. You can see the XSS payload gets executed.

CVSS Score:
CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

SS1
SS2
SS3

@prestashop-issue-bot
Copy link

Thanks for opening this issue! We will help you to keep its state consistent

@matks
Copy link
Contributor

matks commented Jul 24, 2020

Hi @p1nk15amak ! thank you for the report

Am I wrong if I guess that you had a look at our newly opened bug bounty and that you found this while bug hunting, but since the CVS score is low, you reported it here ?

@PierreRambaud
Copy link
Contributor

Hi,

This is something we already received on the Bug Bounty program.
Unfortunately, this is not a security issue, as we allow to upload any files we wanted, (it's the same for SVG files), any users with admin employee can upload this kind of file, like he's able to upload a module or a theme with comprised data.

Kind regards

@florine2623 florine2623 added the No change required Resolution: issue closed because expected as is label Jul 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
No change required Resolution: issue closed because expected as is
Projects
None yet
Development

No branches or pull requests

4 participants