Remember me

Vulnerable to cross-site scripting

11 months 3 weeks ago #1

  • Andreas's Avatar
  • Andreas
  • Posts: 13
The gallery seems to have security problem.
It is possible by using the gallery to execute malicious scripts via XSS.

I think, this has to be fixed rapidly.

11 months 3 weeks ago #2

  • Artem's Avatar
  • Artem
  • Posts: 11342
Hello,

Don't see any reason for worries. This alert comes from the image thumbnail: URL www.your-ste.com/page?beautiful-and-easy-to-use-interface

If this bothers you, just disable URL in the gallery settings.





But as I mentioned earlier, I don't see any reason for worry, this is a standard technology that is used by thousands of sites. Absolutely any product filter on an eCommerce site uses similar technology to filter products.

Regards,
Artem, Balbooa.com

11 months 3 weeks ago #3

  • Andreas's Avatar
  • Andreas
  • Posts: 13
Hello and thanks for your answer, but that doesn't solve the problem.
The problem is solved, if the gallery plugin is deactived.

Any idea?

11 months 3 weeks ago #4

  • Artem's Avatar
  • Artem
  • Posts: 11342
Andreas,

What extension are you using to view this issue?

Regards,
Artem, Balbooa.com

11 months 3 weeks ago #5

  • Andreas's Avatar
  • Andreas
  • Posts: 13
I got a mail from openbugbounty.com with a Security Vulnerability Notification.

The developer who find out this issue was contacted by me and he'll send the details with a vulnerable URL.
I find out that this vulnerable URL could execute scripts only on sites where the gallery is included via plugin.

1 week ago another user also told about the XSS vulnerabilty! What is still happens after that?

Here the vulnerable URL looks like:
www.mydomain.de/?list_type=%22%27%3E%22%...(document.domain)%3E
Attachments:

11 months 3 weeks ago #6

  • Andreas's Avatar
  • Andreas
  • Posts: 13
Is there something new about a fix for the component?

11 months 2 weeks ago #7

  • Artem's Avatar
  • Artem
  • Posts: 11342
Hello,

Can you repeat an issue here?
www.balbooa.com/demo/gallery.html

If yes, contact us back with detailed instructions using our contact form:
support.balbooa.com/contact-us

Regards,
Artem, Balbooa.com
Powered by Kunena Forum