GHSA-gm68-572p-q28r

Suggest an improvement
Source
https://github.com/advisories/GHSA-gm68-572p-q28r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-gm68-572p-q28r/GHSA-gm68-572p-q28r.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-gm68-572p-q28r
Published
2023-07-06T15:30:51Z
Modified
2023-07-06T15:30:51Z
Summary
@vendure/admin-ui-plugin authenticated Cross-site Scripting vulnerability
Details

Impact

Vendure provides an authorization system with different levels of privileges. For example, an administrator cannot create another administrator.

In the admin UI, there are a couple of places with description inputs, such as inventory/collection catalog, shipping methods, promotions, and more.

While the WYSIWYG editor allows limited customization, altering the request data (not in the ui) saves and returns arbitrary HTML with no sanitization. Causing an XSS when viewing the page.

The impact of this XSS is privilege escalation. A user that can write any type of description can trigger the attack. Then any other user that visits the vulnerable page is prone to arbitrary Javascript code execution, giving the attacker ability to execute actions on behalf of this user.

Patches

in progress

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

Database specific 
{
    "github_reviewed_at": "2023-07-06T15:30:51Z",
    "github_reviewed": true,
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE"
}
References

Affected packages

npm / @vendure/admin-ui-plugin

Package

Name
@vendure/admin-ui-plugin
View open source insights on deps.dev
Purl
pkg:npm/%40vendure/admin-ui-plugin

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.3