Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-cv23-q6gh-xfrf

Опубликовано: 12 июн. 2024
Источник: github
Github: Прошло ревью
CVSS3: 5.4

Описание

WooCommerce has a Cross-Site Scripting (XSS) Vulnerability in checkout & registration forms

Impact

A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms.

Patches

diff --git a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js index 79411e928e1..25eaa721c54 100644 --- a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js +++ b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js @@ -155,12 +155,16 @@ * but it's not yet supported in Safari. */ connectedCallback() { - let inputs = ''; + this.innerHTML = ''; + const inputs = new DocumentFragment(); for( const fieldName of this._fieldNames ) { - const value = stringifyFalsyInputValue( this.values[ fieldName ] ); - inputs += `<input type="hidden" name="${params.prefix}${fieldName}" value="${value}"/>`; + const input = document.createElement( 'input' ); + input.type = 'hidden'; + input.name = `${params.prefix}${fieldName}`; + input.value = stringifyFalsyInputValue( ( this.values && this.values[ fieldName ] ) || '' ); + inputs.appendChild( input ); } - this.innerHTML = inputs; + this.appendChild( inputs ); } /**

Workarounds

Disabling the Order Attribution feature

References

A8C SIRT: p3btAN-2L2-p2 (internal) Public disclosure: https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0/

Ссылки

Пакеты

Наименование

woocommerce/woocommerce

composer
Затронутые версииВерсия исправления

>= 8.8.0, < 8.8.5

8.8.5

Наименование

woocommerce/woocommerce

composer
Затронутые версииВерсия исправления

>= 8.9.0, < 8.9.3

8.9.3

EPSS

Процентиль: 78%
0.01143
Низкий

5.4 Medium

CVSS3

CVE ID

CVE-2024-37297

Дефекты

CWE-79
CWE-80

Связанные уязвимости

nvd логотип

CVE-2024-37297

CVSS3: 5.4
nvd
больше 1 года назад

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature.

EPSS

Процентиль: 78%
0.01143
Низкий

5.4 Medium

CVSS3

CVE ID

CVE-2024-37297

Дефекты

CWE-79
CWE-80