The URL parameter next at /[channel]/[locale]/account/login/ in react-storefront can be used to craft XSS attacks against unsuspecting users.
Impact
Arbitrary Javascript code can be executed by malicious actor against a user which could lead to leaking information and perform actions on behalf of the user. This requires user-interaction, such as but not limited to social-engineering.
Patches
Workarounds
We recommend upgrading to the latest version as soon as possible. If unable, possible workarounds are:
- Define a Content-Security-Policy disallowing inline scripts (
script-src)
- Drop the
next parameter from login page (e.g. WAFs)
References
AkshayraviC09YC47 Analyst
The URL parameter
nextat/[channel]/[locale]/account/login/in react-storefront can be used to craft XSS attacks against unsuspecting users.Impact
Arbitrary Javascript code can be executed by malicious actor against a user which could lead to leaking information and perform actions on behalf of the user. This requires user-interaction, such as but not limited to social-engineering.
Patches
Workarounds
We recommend upgrading to the latest version as soon as possible. If unable, possible workarounds are:
script-src)nextparameter from login page (e.g. WAFs)References