AbanteCart Community
Shopping Cart Operations => Security => Topic started by: Mahomed Dawood on December 09, 2021, 05:15:44 AM
-
Hi Guys
I recently ran a security check on my website and came across some reflective xss vulnerability on the product page
Is this something that abantecart are planning on fixing ? or could this just be misconfiguration on my side ?
-
Hello.
Can you please tell us more about your findings?
-
Hi
So if i call my website
http://mywebsite/uri?keyword=10mm&category_id=%2522%253e%253cscript%253ealert%2528987654321%2529%253c%252fscript%253e
A pop up appears with a javascript
Please see attached
-
Hello.
What is your AbanteCart version?
I do not see the problem on AbanteCart demo https://demo.abantecart.com/uri?keyword=10mm&category_id=%2522%253e%253cscript%253ealert%2528987654321%2529%253c%252fscript%253e
-
Hi
Seems to originate from the search bar
Try this
https://demo.abantecart.com/index.php?rt=product/search&keyword=shoe&category_id=%2522%253e%253cscript%253ealert%2528987654321%2529%253c%252fscript%253e
-
I have abantecart v1.3.1
-
Hello.
Thank you for reporting. We will provide the fix shortly
Please follow issue in the bug tracker https://github.com/abantecart/abantecart-src/issues/1513
-
Thank you
-
Hello.
You can try to apply the fix on your site
See commit in https://github.com/abantecart/abantecart-src/issues/1513
-
Hi
Works like a charm
Thank you for your assistance
-
Hi Mahomed Dawood
How did you fix?
Did you update abantecart to latest fixed version or did you apply a fix?
-
what cart version are you currently using?
We have posted the patch file for AbanteCart v 1.3.2 along with instructions
You can get it here:
https://why2central.net/patch/abantecart-v1-3-2-default-core-xss-vulnerability-patch-file/ (https://why2central.net/patch/abantecart-v1-3-2-default-core-xss-vulnerability-patch-file/)
If you are using v 1.3.3, the corrected files are already in that code.