Security Advisory CVE-ID: N/A Topic: Reflected Cross Site Scripting (XSS) Vulnerability in "successful registration" page Class: Input Validation Severity: Medium Discovery: 2016-04-28 Vendor Notification: 2016-04-28 Vendor response: 2016-05-30 Vendor Patch: 2016-05-31 Public Announced: 2016-08-15 Credits: Tal Argoni, CEH from Triad Security [http://www.triadsec.com/] Affects: nopCommerce, open-source & free e-commerce solution 3.70 Resolved: Version 3.8 I. Background nopCommerce is open-source e-commerce shopping cart web application written in MVC.NET. After anonymous user successfully registered the application, the application return the user a successful registration page with "continue to the shop" button. The redirection's parameter (returnurl) value is supplied by the user and echo without output validation to the browser. II. Problem Description Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. The injected code is not stored within the application itself; it is only impacts users who open a maliciously crafted link or third-party web page. The attack string is included as part of the crafted URI or HTTP parameters, improperly processed by the application, and returned to the victim. Exploit code/POC: http://VulnopCommerce/registerresult/1?returnurl=%2fcustomer%2finfo'%3balert("hacked+by+triad+s ecurity")%3b%2f%2f III. Impact The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. IV. Workaround You can work around this problem by doing the following: 1. It is recommended to use HTML-encoded at any point where it is copied into application responses. V. Solution Download vendor patch from http://www.nopcommerce.com . Update to version 3.8 VI. References http://www.triadsec.com/ https://www.linkedin.com/in/talargoni https://github.com/nopSolutions/nopCommerce/commit/364091c16bae533a6c00c0f3bd920ed15da25f 77 https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)