XSS vulnerabilities in the theme package #676

gtsp233 · 2024-01-20T05:02:44Z

Hi, I've found four Cross-Site Scripting (XSS) vulnerabilities in the theme package.

Vulnerability Details:

Severity: High/Critical
Description: There's a risk of malicious script execution when the input to components are controlled by an adversory.

Steps to Reproduce:

import React from "react";
import {
  PageContainer,
  CheckoutContainer,
  IndexContainer,
  SharedContainer,
} from "theme";

function App() {
  return (
    <div>
      <PageContainer
        state={{
          productDetails: {
            description: `<img src='' 
          },
        }}
      />
      <CheckoutContainer
        state={{
          pageDetails: {
            description: `<img src='' 
          },
        }}
      />
      pageDetails
    </div>
  );
}

const root = ReactDOM.createRoot(document.getElementById("root"));
root.render(<App />);

Suggested Fix or Mitigation:
Sanitize the HTML before rendering with dangerouslySetInnerHTML. To fix all of the four vulnerabilities, sanitize the HTML at the following locations:
components/checkoutSuccess.js line 117
containers/index.js line 32
components/productDetails/index.js line 21
containers/page.js line 32

The text was updated successfully, but these errors were encountered:

attesch mentioned this issue Feb 6, 2024

[Snyk] Fix for 9 vulnerabilities attesch/cezerin#306

Open

attesch mentioned this issue Apr 17, 2024

[Snyk] Fix for 1 vulnerabilities attesch/cezerin#315

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XSS vulnerabilities in the theme package #676

XSS vulnerabilities in the theme package #676

XSS vulnerabilities in the theme package #676

XSS vulnerabilities in the theme package #676

Comments