AbanteCart Community

Shopping Cart Operations => Security => Topic started by: Mahomed Dawood on December 09, 2021, 05:15:44 AM

Title: XSS Vulnerability
Post by: Mahomed Dawood on December 09, 2021, 05:15:44 AM
Hi Guys

I recently ran a security check on my website and came across some reflective xss vulnerability on the product page
Is this something that abantecart are planning on fixing ? or could this just be misconfiguration on my side ?
Title: Re: XSS Vulnerability
Post by: Basara on December 09, 2021, 05:35:06 AM
Hello.

Can you please tell us more about your findings?
Title: Re: XSS Vulnerability
Post by: Mahomed Dawood on December 09, 2021, 05:58:38 AM
Hi

So if i call my website

http://mywebsite/uri?keyword=10mm&category_id=%2522%253e%253cscript%253ealert%2528987654321%2529%253c%252fscript%253e

A pop up appears with a javascript

Please see attached

Title: Re: XSS Vulnerability
Post by: Basara on December 09, 2021, 07:18:33 AM
Hello.
What is your AbanteCart version?
I do not see the problem on AbanteCart demo https://demo.abantecart.com/uri?keyword=10mm&category_id=%2522%253e%253cscript%253ealert%2528987654321%2529%253c%252fscript%253e
Title: Re: XSS Vulnerability
Post by: Mahomed Dawood on December 09, 2021, 08:37:46 AM
Hi

Seems to originate from the search bar

Try this

https://demo.abantecart.com/index.php?rt=product/search&keyword=shoe&category_id=%2522%253e%253cscript%253ealert%2528987654321%2529%253c%252fscript%253e
Title: Re: XSS Vulnerability
Post by: Mahomed Dawood on December 09, 2021, 08:48:25 AM
I have abantecart v1.3.1
Title: Re: XSS Vulnerability
Post by: Basara on December 10, 2021, 12:07:23 AM
Hello.
Thank you for reporting. We will provide the fix shortly
Please follow issue in the bug tracker https://github.com/abantecart/abantecart-src/issues/1513
Title: Re: XSS Vulnerability
Post by: Mahomed Dawood on December 10, 2021, 12:17:47 AM
Thank you
Title: Re: XSS Vulnerability
Post by: Basara on December 14, 2021, 06:28:24 AM
Hello.
You can try to apply the fix on your site
See commit in https://github.com/abantecart/abantecart-src/issues/1513
Title: Re: XSS Vulnerability
Post by: Mahomed Dawood on December 15, 2021, 04:28:59 AM
Hi

Works like a charm

Thank you for your assistance