In an open e-commerce platform
One of the problems allows an unauthenticated user to achieve the placement of JavaScript code (XSS), which can be executed when viewing the history of canceled purchases in the admin interface. The essence of the vulnerability is the ability to bypass the text cleaning operation using the escapeHtmlWithLinks() function when processing a note in the cancel form on the checkout start screen (using the βa href=http://onmouseover=β¦β tag nested in another tag). The problem manifests itself when using the built-in module Authorize.Net, which is used to accept payments by credit cards.
To gain full control using JavaScript code in the context of the current session of a store employee, a second vulnerability is exploited, which allows loading a phar file disguised as an image (
Interestingly, information about the XSS problem was sent to Magento developers back in September 2018, after which a patch was released at the end of November, which, as it turned out, eliminates only one of the special cases and is easily bypassed. In January, the possibility of downloading a Phar file under the guise of an image was additionally reported and it was shown how the combination of the two vulnerabilities can be used to compromise online stores. At the end of March in Magento 2.3.1,
2.2.8 and 2.1.17 fixed the problem with Phar files but forgot the XSS fix even though the issue ticket was closed. In April, XSS parsing resumed and the issue was fixed in releases 2.3.2, 2.2.9, and 2.1.18.
It should be noted that these releases also fixed 75 vulnerabilities, 16 of which are marked as critical, and 20 problems can lead to PHP code execution or SQL substitution. Most critical issues can only be performed by an authenticated user, but as shown above, authenticated operations are not difficult to achieve with XSS vulnerabilities, of which dozens have been fixed in the marked releases.
Source: opennet.ru