In efforts to improve our Magento 2 extensions day by day, we are always serious in testing all modules thoroughly and fix all issues as quickly as possible.
Recently, some customers reported that Magento 2 Multiple Wishlist versions before v.1.2.0 were possibly vulnerable to the XSS problems which go under CWE-79 and causing this module to fail on OWASP TOP 10 with an ID of A7.
Now, it is fixed on Magento 2 Multiple Wishlist version 1.2.0.
Some information about XSS Problems
It’s XSS problems that go under CWE-79 and causes this module to fail on OWASP TOP 10 with an ID of A7.
This enables the attacker to perform phishing attacks, to steal cookies associated with the domain, or to cause the victim’s browser to execute arbitrary actions on the victim’s behalf and without the victim’s knowledge.
The detected cross-site scripting vulnerability occurs within the context of an attribute surrounded by double-quotes. To prevent abuse, it is necessary to prohibit the potentially malicious input from breaking out of this context, and inject an event handler or start a new HTML tag.
The PHP built-in function htmlentities() can be used for this matter. While escaping of single quotes is not necessary at this point, it is still recommended to do so by adding the ENT_QUOTES flag to the call to htmlentities().
The Issues were found and fixed at
You should install the latest Magento 2 Multiple Wishlists version v1.2.0. It is bug-free.
In case you installed the version lower v.1.2.0, we offer a free upgrade for our modules.
Contact BSS Commerce’s Support team for further help/consulting if needed.