In efforts to improve our Magento 2 extensions day by day, we are always serious in testing all modules thoroughly and fix all issues as quickly as possible.
Recently, some customers reported that Magento 2 Multiple Wishlist versions before v.1.2.0 were possibly vulnerable to the XSS problems which go under CWE-79 and causing this module to fail on OWASP TOP 10 with an ID of A7.
Now, it is fixed on Magento 2 Multiple Wishlist version 1.2.0.
Some information about XSS Problems
Table of Contents
It’s XSS problems that go under CWE-79 and causes this module to fail on OWASP TOP 10 with an ID of A7.
A reflected cross-site scripting (XSS) vulnerability occurs when unsanitized user input is embedded into the HTML response page of the web application. It allows an attacker to inject arbitrary HTML or JavaScript code into the response page of a tampered request.
Usually, this attack is performed by crafting a malicious link that is sent to a victim. When opened, the attacker’s JavaScript payload within the link is reflected by the application and executed in the victim’s browser in the context of the web application’s domain.
This enables the attacker to perform phishing attacks, to steal cookies associated with the domain, or to cause the victim’s browser to execute arbitrary actions on the victim’s behalf and without the victim’s knowledge.
To prevent cross-site scripting vulnerabilities, special characters that are interpreted by the browser to execute not intended actions need to be escaped or filtered out of user input before usage. Which characters are considered harmful and need to be sanitized depends on the context the injection happens in (e.g., attribute context, URL context, JavaScript context, …).
The detected injection occurs within a double-quoted HTML attribute. An attacker can break out of this attribute by injecting a double quote (\”). This allows us to terminate the current attribute and to append another attribute to the HTML element. For example, an eventhandler attribute can be appended that allows executing arbitrary JavaScript code.
The detected cross-site scripting vulnerability occurs within the context of an attribute surrounded by double-quotes. To prevent abuse, it is necessary to prohibit the potentially malicious input from breaking out of this context, and inject an event handler or start a new HTML tag.
The PHP built-in function htmlentities() can be used for this matter. While escaping of single quotes is not necessary at this point, it is still recommended to do so by adding the ENT_QUOTES flag to the call to htmlentities().
The Issues were found and fixed at
app/code/Bss/MultiWishlist/view/frontend/templates/email/items.phtml
app/code/Bss/MultiWishlist/view/frontend/templates/item/list.phtml
app/code/Bss/MultiWishlist/view/frontend/templates/multiwishlist.phtml
app/code/Bss/MultiWishlist/view/frontend/templates/popup.phtml
app/code/Bss/MultiWishlist/view/frontend/templates/sharing.phtml
app/code/Bss/MultiWishlist/view/frontend/templates/view.phtml
Recommended Solution
You should install the latest Magento 2 Multiple Wishlists version v1.2.0. It is bug-free.
In case you installed the version lower v.1.2.0, we offer a free upgrade for our modules.
Contact BSS Commerce’s Support team for further help/consulting if needed.
BSS Commerce is one of the leading Multi-platform eCommerce solutions and web development services providers in the world. With experienced and certified developers, we commit to bringing high-quality products and services to optimize your business effectively. Talk to our expert now!
