Security issues in nopCommerce 4.50.1


Description: nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). An attacker (role customer) can inject javascript code to First name or Last name at Customer Info. When customer accesses deny resources, for example /admin, server will redirect user to login page and show up notification: "You are already logged in as {Customer Name}. You may log in with another account.". Customer Name is reflected in the response without HTML encoding, and cause XSS when displayBarNotification() is called.
Note: If admin used Place order (impersonate) feature, customer will execute javascript under admin session.


Description: nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). At "Apply for vendor account" feature, an attacker can upload an arbitrary file to the system, for example file with .html extension. After administrator sees "Vendor apply info" by clicking Edit button, uploaded file will be generated and the final uploaded file has formatted /images/thumbs/{id-Vendor.Name-100.Content-Type-extension}
  • id parameter is 7 digits number and it is auto increment, therefore it is easy to guess/bruteforce
  • User Input Vendor.Name will be filtered special character, therefore, I just put alphabet characters here to make output unchange.
  • Content-Type is text/html => Content-Type-extension is html.
Example of final uploaded file is https://[URL]/images/thumbs/0000108_pentester_100.html


Description: nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS) via the "Text" parameter (forums) when creating a new post, which allows a remote attacker to execute arbitrary JavaScript code at client browser.
  • Create new topic or reply topic with injecting [url]javascript:alert(document.domain)[/url] to "Text" parameter
  • Click a text javascript:alert(document.domain) at topic that was created in step 1 to trigger XSS


Description: The "Maintenance" feature in nopCommerce version 4.50.1 is vulnerable to path traversal, an attacker (admin role) can delete arbitrary files in the system by changing the value of parameter "backupFileName" when sending POST request to /Admin/Common/Maintenance.