GHSA-cv23-q6gh-xfrf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-cv23-q6gh-xfrf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-cv23-q6gh-xfrf/GHSA-cv23-q6gh-xfrf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-cv23-q6gh-xfrf
- Aliases
- Published
- 2024-06-12T19:40:16Z
- Modified
- 2024-07-24T15:10:12Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- WooCommerce has a Cross-Site Scripting (XSS) Vulnerability in checkout & registration forms
- Details
-
Impact
A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms.
Patches
diff --git a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js index 79411e928e1..25eaa721c54 100644 --- a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js +++ b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js @@ -155,12 +155,16 @@ * but it's not yet supported in Safari. */ connectedCallback() { - let inputs = ''; + this.innerHTML = ''; + const inputs = new DocumentFragment(); for( const fieldName of this._fieldNames ) { - const value = stringifyFalsyInputValue( this.values[ fieldName ] ); - inputs += `<input type="hidden" name="${params.prefix}${fieldName}" value="${value}"/>`; + const input = document.createElement( 'input' ); + input.type = 'hidden'; + input.name = `${params.prefix}${fieldName}`; + input.value = stringifyFalsyInputValue( ( this.values && this.values[ fieldName ] ) || '' ); + inputs.appendChild( input ); } - this.innerHTML = inputs; + this.appendChild( inputs ); } /**Workarounds
Disabling the Order Attribution feature
References
A8C SIRT: p3btAN-2L2-p2 (internal) Public disclosure: https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0/
- Database specific
{ "nvd_published_at": "2024-06-12T15:15:52Z", "cwe_ids": [ "CWE-79", "CWE-80" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-06-12T19:40:16Z" }- References
-
- https://github.com/woocommerce/woocommerce/security/advisories/GHSA-cv23-q6gh-xfrf
- https://nvd.nist.gov/vuln/detail/CVE-2024-37297
- https://github.com/woocommerce/woocommerce/commit/0e9888305d0cb9557e58f558526ab11cb3bcc4b4
- https://github.com/woocommerce/woocommerce/commit/915e32a42762916b745a7e663c8b69a698da8b67
- https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0
- https://github.com/woocommerce/woocommerce
Affected packages
Packagist / woocommerce/woocommerce
Package
- Name
- woocommerce/woocommerce
- Purl
- pkg:composer/woocommerce/woocommerce
Packagist / woocommerce/woocommerce
Package
- Name
- woocommerce/woocommerce
- Purl
- pkg:composer/woocommerce/woocommerce