GHSA-CV23-Q6GH-XFRF

Vulnerability from github – Published: 2024-06-12 19:40 – Updated: 2024-07-24 15:10
VLAI?
Summary
WooCommerce has a Cross-Site Scripting (XSS) Vulnerability in checkout & registration forms
Details

Impact

A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms.

Patches

diff --git a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
index 79411e928e1..25eaa721c54 100644
--- a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
+++ b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
@@ -155,12 +155,16 @@
         * but it's not yet supported in Safari.
         */
        connectedCallback() {
-           let inputs = '';
+           this.innerHTML = '';
+           const inputs = new DocumentFragment();
            for( const fieldName of this._fieldNames ) {
-               const value = stringifyFalsyInputValue( this.values[ fieldName ] );
-               inputs += `<input type="hidden" name="${params.prefix}${fieldName}" value="${value}"/>`;
+               const input = document.createElement( 'input' );
+               input.type = 'hidden';
+               input.name = `${params.prefix}${fieldName}`;
+               input.value = stringifyFalsyInputValue( ( this.values && this.values[ fieldName ] ) || '' );
+               inputs.appendChild( input );
            }
-           this.innerHTML = inputs;
+           this.appendChild( inputs );
        }

        /**

Workarounds

Disabling the Order Attribution feature

References

A8C SIRT: p3btAN-2L2-p2 (internal) Public disclosure: https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0/

Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "woocommerce/woocommerce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.8.0"
            },
            {
              "fixed": "8.8.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "woocommerce/woocommerce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.9.0"
            },
            {
              "fixed": "8.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-37297"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-12T19:40:16Z",
    "nvd_published_at": "2024-06-12T15:15:52Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nA vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML \u0026 JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content \u0026 data stored in the browser, including the session.\nThe URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms.\n\n### Patches\n```diff\ndiff --git a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js\nindex 79411e928e1..25eaa721c54 100644\n--- a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js\n+++ b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js\n@@ -155,12 +155,16 @@\n \t\t * but it\u0027s not yet supported in Safari.\n \t\t */\n \t\tconnectedCallback() {\n-\t\t\tlet inputs = \u0027\u0027;\n+\t\t\tthis.innerHTML = \u0027\u0027;\n+\t\t\tconst inputs = new DocumentFragment();\n \t\t\tfor( const fieldName of this._fieldNames ) {\n-\t\t\t\tconst value = stringifyFalsyInputValue( this.values[ fieldName ] );\n-\t\t\t\tinputs += `\u003cinput type=\"hidden\" name=\"${params.prefix}${fieldName}\" value=\"${value}\"/\u003e`;\n+\t\t\t\tconst input = document.createElement( \u0027input\u0027 );\n+\t\t\t\tinput.type = \u0027hidden\u0027;\n+\t\t\t\tinput.name = `${params.prefix}${fieldName}`;\n+\t\t\t\tinput.value = stringifyFalsyInputValue( ( this.values \u0026\u0026 this.values[ fieldName ] ) || \u0027\u0027 );\n+\t\t\t\tinputs.appendChild( input );\n \t\t\t}\n-\t\t\tthis.innerHTML = inputs;\n+\t\t\tthis.appendChild( inputs );\n \t\t}\n \n \t\t/**\n```\n\n### Workarounds\nDisabling the Order Attribution feature \n\n### References\nA8C SIRT: p3btAN-2L2-p2 (internal)\nPublic disclosure: https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0/\n",
  "id": "GHSA-cv23-q6gh-xfrf",
  "modified": "2024-07-24T15:10:12Z",
  "published": "2024-06-12T19:40:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/woocommerce/woocommerce/security/advisories/GHSA-cv23-q6gh-xfrf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37297"
    },
    {
      "type": "WEB",
      "url": "https://github.com/woocommerce/woocommerce/commit/0e9888305d0cb9557e58f558526ab11cb3bcc4b4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/woocommerce/woocommerce/commit/915e32a42762916b745a7e663c8b69a698da8b67"
    },
    {
      "type": "WEB",
      "url": "https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/woocommerce/woocommerce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WooCommerce has a Cross-Site Scripting (XSS) Vulnerability in checkout \u0026 registration forms"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.