Magento Forums
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

XSS in Magento 2 CE

‎11-23-2015 06:47 AM
‎11-23-2015 06:47 AM

XSS in Magento 2 CE

Hi there,

 

I have found way to use XSS, and I haven't found any ways to notify directly dev team about that - the main site sucks.

 

Steps to reproduce:

1) Install M2 CE with Data, update indexes, flush cache

2) Go to /karissa-v-neck-tee.html

3) Pay attention that meta description have not escaped

4) Go to admin panel and write in meta description field:

"/><script>alert('XSS!')</script
>

5) Update the product page

 

It's to funny to have a lot of devs, testers, managers but releases bugged Magento version that you developed more than two years and haven't any simple way on your main page to notify you about vulnerability.

0 Kudos
3 REPLIES 3
‎11-23-2015 12:43 PM
‎11-23-2015 12:43 PM

Re: XSS in Magento 2 CE

I have already reported it 16 days ago: 

https://github.com/magento/magento2/issues/2295

https://mage2.pro/t/161

0 Kudos
‎11-23-2015 04:52 PM
‎11-23-2015 04:52 PM

Re: XSS in Magento 2 CE

Hi Dmitry,

 

As I can see your solution covers only case when description is empty, so it still allows injecting scripts directly through meta fields.

 

IMHO it doesn't have any sense to allow any tags or scripts in these fields, so all this data should be always stripped before save.

 

And I really don't understand why DEV and TEST teams  have been keeping this bug alive for 16 (!) days

 

 

 

0 Kudos
‎07-06-2016 09:58 AM
‎07-06-2016 09:58 AM

Re: XSS in Magento 2 CE

Please report any vulnerabilities on: https://bugcrowd.com/magento

Additional security information can be found at: https://magento.com/security

--

Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical
0 Kudos