Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS issue in the "discountcode" parameter #5322

Closed
AndreiMaz opened this issue Feb 8, 2021 · 1 comment
Closed

XSS issue in the "discountcode" parameter #5322

AndreiMaz opened this issue Feb 8, 2021 · 1 comment
Assignees
Labels
Milestone

Comments

@AndreiMaz
Copy link
Member

The vulnerability is a reflected XSS in the discountcode URL parameter. If an invalid discount code is entered, the value is reflected directly in the response without HTML encoding. This was tested on Google Chrome, Firefox and Edge with a fresh install of nopCommerce. I have attached a screenshot of the PoC.

The cause of the issue is the following line:

_notificationService.WarningNotification(string.Format(invalidLocale, invalidCouponCode));
which uses the String.format() function without sanitising the user input.
The same code exists in the 4.3.0 release tag as well:
string.Format(_localizationService.GetResource("ShoppingCart.DiscountCouponCode.Invalid"),

Let me know if you require additional information.
xss_poc

@DmitriyKulagin
Copy link
Contributor

Closed #5322

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants