search

nopSolutions / nopCommerce

ASP.NET Core eCommerce software. nopCommerce is a free and open-source shopping cart.
https://www.nopcommerce.com
Other
9.08k stars 5.19k forks source link

XSS vulnerability via CustomerFullName in order list #7230

Closed Neavium closed 3 weeks ago

Neavium commented 3 weeks ago

nopCommerce version: release-4.70.2 and in develop branch

Steps to reproduce the problem:

  1. create user with some script tag in first- or lastname. Like: <script>alert(1)</script>
  2. buy a product
  3. then as an admin go to the portal
  4. show orders
  5. the alert will show before loading the list

Exact location of the vulnerability:

/src/Presentation/Nop.Web/Areas/Admin/Views/Order/List.cshtml

Line: 418

return `${row.CustomerFullName}<br /><a href="${link}">${data}</a>`;

How to fix:

use the textrenderer to show the CustomerFullName and probably the data (email) too:

var textRenderer = $.fn.dataTable.render.text().display; return `${textRenderer(row.CustomerFullName)}<br /><a href="${link}">${textRenderer(data)}</a>`;

skoshelev commented 3 weeks ago

Closed 7230

xmenxwk commented 2 weeks ago

Why allowing customer name to have Githubissues.

  • Githubissues is a development platform for aggregating issues.