Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS issue in the "Text" parameter (forums) #6194

Closed
trungtin1998 opened this issue Mar 20, 2022 · 4 comments
Closed

XSS issue in the "Text" parameter (forums) #6194

trungtin1998 opened this issue Mar 20, 2022 · 4 comments
Assignees
Labels
Milestone

Comments

@trungtin1998
Copy link

trungtin1998 commented Mar 20, 2022

nopCommerce version: 4.50.1

Description: A stored cross-site scripting (XSS) vulnerability exists when creating a new post of nopCommerce version 4.50.1 that allows a remote attacker to execute arbitrary JavaScript code at client browser
Steps to reproduce the problem:

  • Step 1: Create new topic or reply topic with injecting [url]javascript:alert(document.domain)[/url] to "Text" parameter
    storedxss-topic-Text(comment)-createpost
  • Step2: Click a text javascript:alert(document.domain) at topic that was created in step 1 to trigger XSS
    storedxss-topic-Text(comment)
    Let me know if you require additional information.
@AndreiMaz AndreiMaz added this to the Version 4.60 milestone Mar 20, 2022
@AndreiMaz AndreiMaz changed the title XSS issue in the "Text" parameter XSS issue in the "Text" parameter (forums) Mar 20, 2022
@skoshelev
Copy link
Contributor

Hi @trungtin1998. Thank you for your help. We fixed this problem by this commit

@trungtin1998
Copy link
Author

Hi guys, Can you help me request CVE for this issue?

@AndreiMaz
Copy link
Member

@trungtin1998 Please feel free to report it at https://www.cve.org/

But our team will appreciate if you do after the next version release of nopCommerce (we plan to release a minor version in April)

@trungtin1998
Copy link
Author

Hi @AndreiMaz, thank you for your information. I will do it after the next version release of nopCommerce.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants