Security issues in nopCommerce 4.50.1

CVE-2022-28448

Description: nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). An attacker (role customer) can inject javascript code to First name or Last name at Customer Info. When customer accesses deny resources, for example /admin, server will redirect user to login page and show up notification: "You are already logged in as {Customer Name}. You may log in with another account.". Customer Name is reflected in the response without HTML encoding, and cause XSS when displayBarNotification() is called.

Note: If admin used Place order (impersonate) feature, customer will execute javascript under admin session.

Link: https://github.com/nopSolutions/nopCommerce/issues/6191

CVE-2022-28449

Description: nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). At "Apply for vendor account" feature, an attacker can upload an arbitrary file to the system, for example file with .html extension. After administrator sees "Vendor apply info" by clicking Edit button, uploaded file will be generated and the final uploaded file has formatted /images/thumbs/{id-Vendor.Name-100.Content-Type-extension}

id parameter is 7 digits number and it is auto increment, therefore it is easy to guess/bruteforce
User Input Vendor.Name will be filtered special character, therefore, I just put alphabet characters here to make output unchange.
Content-Type is text/html => Content-Type-extension is html.

Example of final uploaded file is https://[URL]/images/thumbs/0000108_pentester_100.html

Link: https://github.com/nopSolutions/nopCommerce/issues/6192

CVE-2022-28450

Description: nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS) via the "Text" parameter (forums) when creating a new post, which allows a remote attacker to execute arbitrary JavaScript code at client browser.

Create new topic or reply topic with injecting [url]javascript:alert(document.domain)[/url] to "Text" parameter
Click a text javascript:alert(document.domain) at topic that was created in step 1 to trigger XSS

Link: https://github.com/nopSolutions/nopCommerce/issues/6194

CVE-2022-28451

Description: The "Maintenance" feature in nopCommerce version 4.50.1 is vulnerable to path traversal, an attacker (admin role) can delete arbitrary files in the system by changing the value of parameter "backupFileName" when sending POST request to /Admin/Common/Maintenance.

Link: https://github.com/nopSolutions/nopCommerce/issues/6203

PreviousOpen Redirect on nopCommerce 4.50.1 NextSmartVista

Last updated 2 years ago