Skip to content
This repository has been archived by the owner on Oct 19, 2022. It is now read-only.

XSS vulnerability in version 3.3.8 #247

Open
kpapijnenburg opened this issue May 11, 2022 · 2 comments
Open

XSS vulnerability in version 3.3.8 #247

kpapijnenburg opened this issue May 11, 2022 · 2 comments

Comments

@kpapijnenburg
Copy link

Issue Brief

We use Tweakwise version 3.3.8 in our webshop. A routine vulnerability check has shown that there are cross site scripting (XSS) vulnerabilities in the code, see the attachment for more information.

xss_vulnerability.pdf

Environment

  • PHP Version: 7.3
  • Magento Version: 2.4.3
  • Tweakwise Version: 3.8.8
  • Magento Deploy Mode: production

Steps to reproduce

  1. Copy the GET request from the xss_vulnerability.pdf (highlighted on the second page.)
  2. Execute the request.

Actual result

  1. The content of the script tag was executed.

Expected result

  1. The content of the script tag was not executed.
@ah-net
Copy link
Contributor

ah-net commented May 24, 2022

I've added this issue to our work log. We will keep you informed.

@ah-net
Copy link
Contributor

ah-net commented May 31, 2022

This issue is already fixed from version 4.2.0 and above.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kpapijnenburg @ah-net