search

nopSolutions / nopCommerce

ASP.NET Core eCommerce software. nopCommerce is a free and open-source shopping cart.
https://www.nopcommerce.com
Other
9.08k stars 5.19k forks source link

XSS Vulnerability Adding a Product #7233

Closed iamtron01 closed 3 weeks ago

iamtron01 commented 3 weeks ago

nopCommerce version: 4.70.3

Good day, I found an XSS vulnerability in Nop 4.70.3 while adding a product.

Steps to reproduce the problem:

  1. Download Nop Commerce 4.70.3 with Source Code
  2. Open Solution in Visual Studio, 2022
  3. Run Solution and go through setup wizard, include sample data
  4. Login as store Administrator
  5. Click on Administration
  6. Click Catalog
  7. Click Products
  8. Click Add new
  9. Enter a product name
  10. Enter, as the Description
  11. Give the product a price
  12. Give the product a Category, Computers>> Desktops (May not be needed I did it to make it easier to find)
  13. Click Save
  14. From the Store Front Side, Select Computers, Click Desktops

Please acknowledge

See attachments: Popup, Create, Display

Popup Create Display

AndreiMaz commented 3 weeks ago

It's by design. A store owner can enter any HTML text including script tags.

iamtron01 commented 3 weeks ago

Acknowledged.