cancel
Showing results for 
Search instead for 
Did you mean: 

XSS in Magento 2 CE

XSS in Magento 2 CE

Hi there,

 

I have found way to use XSS, and I haven't found any ways to notify directly dev team about that - the main site sucks.

 

Steps to reproduce:

1) Install M2 CE with Data, update indexes, flush cache

2) Go to /karissa-v-neck-tee.html

3) Pay attention that meta description have not escaped

4) Go to admin panel and write in meta description field:

"/><script>alert('XSS!')</script
>

5) Update the product page

 

It's to funny to have a lot of devs, testers, managers but releases bugged Magento version that you developed more than two years and haven't any simple way on your main page to notify you about vulnerability.

3 REPLIES

Re: XSS in Magento 2 CE

Re: XSS in Magento 2 CE

Hi Dmitry,

 

As I can see your solution covers only case when description is empty, so it still allows injecting scripts directly through meta fields.

 

IMHO it doesn't have any sense to allow any tags or scripts in these fields, so all this data should be always stripped before save.

 

And I really don't understand why DEV and TEST teams  have been keeping this bug alive for 16 (!) days

 

 

 

Re: XSS in Magento 2 CE

Please report any vulnerabilities on: https://bugcrowd.com/magento

Additional security information can be found at: https://magento.com/security

--

Community Manager, Magento
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical