The URL parameter next
at /[channel]/[locale]/account/login/
in react-storefront can be used to craft XSS attacks against unsuspecting users.
Impact
Arbitrary Javascript code can be executed by malicious actor against a user which could lead to leaking information and perform actions on behalf of the user. This requires user-interaction, such as but not limited to social-engineering.
Patches
Workarounds
We recommend upgrading to the latest version as soon as possible. If unable, possible workarounds are:
- Define a Content-Security-Policy disallowing inline scripts (
script-src
)
- Drop the
next
parameter from login page (e.g. WAFs)
References
The URL parameter
next
at/[channel]/[locale]/account/login/
in react-storefront can be used to craft XSS attacks against unsuspecting users.Impact
Arbitrary Javascript code can be executed by malicious actor against a user which could lead to leaking information and perform actions on behalf of the user. This requires user-interaction, such as but not limited to social-engineering.
Patches
Workarounds
We recommend upgrading to the latest version as soon as possible. If unable, possible workarounds are:
script-src
)next
parameter from login page (e.g. WAFs)References