Skip to content

XSS issue in the "Text" parameter (forums) #6194

Closed
@trungtin1998

Description

nopCommerce version: 4.50.1

Description: A stored cross-site scripting (XSS) vulnerability exists when creating a new post of nopCommerce version 4.50.1 that allows a remote attacker to execute arbitrary JavaScript code at client browser
Steps to reproduce the problem:

  • Step 1: Create new topic or reply topic with injecting [url]javascript:alert(document.domain)[/url] to "Text" parameter
    storedxss-topic-Text(comment)-createpost
  • Step2: Click a text javascript:alert(document.domain) at topic that was created in step 1 to trigger XSS
    storedxss-topic-Text(comment)
    Let me know if you require additional information.

Metadata

Assignees

Labels

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions