Closed
Description
nopCommerce version: 4.50.1
Steps to reproduce the problem:

- Inject javascript code to First name or Last name at Customer Info
- When customer accesses deny resources, for example /admin, server will redirect user to login page and show up notification: "You are already logged in as {Customer Name}. You may log in with another account.". Customer Name is reflected in the response without HTML encoding, and cause XSS when displayBarNotification() is called.
Note: If admin used Place order (impersonate) feature, customer will execute javascript under admin session.