XSS vulnerability in version 3.3.8

[kpapijnenburg]

Issue Brief

We use Tweakwise version 3.3.8 in our webshop. A routine vulnerability check has shown that there are cross site scripting (XSS) vulnerabilities in the code, see the attachment for more information.

xss_vulnerability.pdf

Environment

• PHP Version: 7.3
• Magento Version: 2.4.3
• Tweakwise Version: 3.8.8
• Magento Deploy Mode: production

Steps to reproduce

1. Copy the GET request from the xss_vulnerability.pdf (highlighted on the second page.)
2. Execute the request.

Actual result

1. The content of the script tag was executed.

Expected result

1. The content of the script tag was not executed.

[ah-net]

I've added this issue to our work log. We will keep you informed.

[ah-net]

This issue is already fixed from version 4.2.0 and above.