Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS in customer name when customer accessed deny resource and redirect to login page #6191

Closed
trungtin1998 opened this issue Mar 19, 2022 · 1 comment
Assignees
Labels
Milestone

Comments

@trungtin1998
Copy link

nopCommerce version: 4.50.1

Steps to reproduce the problem:
storedxss_login_customer_name

  • Inject javascript code to First name or Last name at Customer Info
  • When customer accesses deny resources, for example /admin, server will redirect user to login page and show up notification: "You are already logged in as {Customer Name}. You may log in with another account.". Customer Name is reflected in the response without HTML encoding, and cause XSS when displayBarNotification() is called.
    Note: If admin used Place order (impersonate) feature, customer will execute javascript under admin session.
@skoshelev
Copy link
Contributor

Hi @trungtin1998. Thank you for your help. We fixed this problem by this commit

Closed #6191

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants