Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS in admin dashboard #51

Closed
b1nslashsh opened this issue Nov 29, 2020 · 3 comments
Closed

XSS in admin dashboard #51

b1nslashsh opened this issue Nov 29, 2020 · 3 comments

Comments

@b1nslashsh
Copy link

b1nslashsh commented Nov 29, 2020
edited
Loading

Reflected xss in admin panel
There is a cross site scripting or XSS in admin Dashboard

To Reproduce

  1. the search function in admin dashboard is vulnerable for XSS
    https://demo.s-cart.org/sc_admin/order?keyword=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

Screenshots
99615345-42d05380-29e9-11eb-89d0-e7ce6797ac0a

Fix for it :)

Useing htmlentities() in s-cart/core

https://github.com/s-cart/core/blob/master/src/Admin/Controllers/AdminOrderController.php#L170
will fix this issue

100106826-068c6f80-2e8f-11eb-9042-c21008044561
@lanhktc
Copy link
Collaborator

lanhktc commented Nov 29, 2020
edited
Loading

Thanks so much. This error will fix in the next release

@lanhktc
Copy link
Collaborator

lanhktc commented Dec 6, 2020

Fixed in SC 4.4

@lanhktc lanhktc closed this as completed Dec 6, 2020
@abergmann
Copy link

CVE-2020-28457 was assigned to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@abergmann @lanhktc @b1nslashsh