ghsa-cv23-q6gh-xfrf
Vulnerability from github
Impact
A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms.
Patches
``diff
diff --git a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
index 79411e928e1..25eaa721c54 100644
--- a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
+++ b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
@@ -155,12 +155,16 @@
* but it's not yet supported in Safari.
*/
connectedCallback() {
- let inputs = '';
+ this.innerHTML = '';
+ const inputs = new DocumentFragment();
for( const fieldName of this._fieldNames ) {
- const value = stringifyFalsyInputValue( this.values[ fieldName ] );
- inputs +=;
+ const input = document.createElement( 'input' );
+ input.type = 'hidden';
+ input.name =${params.prefix}${fieldName}`;
+ input.value = stringifyFalsyInputValue( ( this.values && this.values[ fieldName ] ) || '' );
+ inputs.appendChild( input );
}
- this.innerHTML = inputs;
+ this.appendChild( inputs );
}
/**
```
Workarounds
Disabling the Order Attribution feature
References
A8C SIRT: p3btAN-2L2-p2 (internal) Public disclosure: https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0/
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "woocommerce/woocommerce"
},
"ranges": [
{
"events": [
{
"introduced": "8.8.0"
},
{
"fixed": "8.8.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "woocommerce/woocommerce"
},
"ranges": [
{
"events": [
{
"introduced": "8.9.0"
},
{
"fixed": "8.9.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-37297"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-12T19:40:16Z",
"nvd_published_at": "2024-06-12T15:15:52Z",
"severity": "MODERATE"
},
"details": "### Impact\nA vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML \u0026 JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content \u0026 data stored in the browser, including the session.\nThe URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms.\n\n### Patches\n```diff\ndiff --git a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js\nindex 79411e928e1..25eaa721c54 100644\n--- a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js\n+++ b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js\n@@ -155,12 +155,16 @@\n \t\t * but it\u0027s not yet supported in Safari.\n \t\t */\n \t\tconnectedCallback() {\n-\t\t\tlet inputs = \u0027\u0027;\n+\t\t\tthis.innerHTML = \u0027\u0027;\n+\t\t\tconst inputs = new DocumentFragment();\n \t\t\tfor( const fieldName of this._fieldNames ) {\n-\t\t\t\tconst value = stringifyFalsyInputValue( this.values[ fieldName ] );\n-\t\t\t\tinputs += `\u003cinput type=\"hidden\" name=\"${params.prefix}${fieldName}\" value=\"${value}\"/\u003e`;\n+\t\t\t\tconst input = document.createElement( \u0027input\u0027 );\n+\t\t\t\tinput.type = \u0027hidden\u0027;\n+\t\t\t\tinput.name = `${params.prefix}${fieldName}`;\n+\t\t\t\tinput.value = stringifyFalsyInputValue( ( this.values \u0026\u0026 this.values[ fieldName ] ) || \u0027\u0027 );\n+\t\t\t\tinputs.appendChild( input );\n \t\t\t}\n-\t\t\tthis.innerHTML = inputs;\n+\t\t\tthis.appendChild( inputs );\n \t\t}\n \n \t\t/**\n```\n\n### Workarounds\nDisabling the Order Attribution feature \n\n### References\nA8C SIRT: p3btAN-2L2-p2 (internal)\nPublic disclosure: https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0/\n",
"id": "GHSA-cv23-q6gh-xfrf",
"modified": "2024-07-24T15:10:12Z",
"published": "2024-06-12T19:40:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/woocommerce/woocommerce/security/advisories/GHSA-cv23-q6gh-xfrf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37297"
},
{
"type": "WEB",
"url": "https://github.com/woocommerce/woocommerce/commit/0e9888305d0cb9557e58f558526ab11cb3bcc4b4"
},
{
"type": "WEB",
"url": "https://github.com/woocommerce/woocommerce/commit/915e32a42762916b745a7e663c8b69a698da8b67"
},
{
"type": "WEB",
"url": "https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0"
},
{
"type": "PACKAGE",
"url": "https://github.com/woocommerce/woocommerce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "WooCommerce has a Cross-Site Scripting (XSS) Vulnerability in checkout \u0026 registration forms"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.