Cross-site Scripting (XSS)
Affecting solidus_backend gem, versions >=1.0.0.pre,1.0.5 || >=1.1.0.beta1,<1.1.3 || >=1.2.0.beta1,<1.2.1
solidus_backend is an Admin interface for the Solidus e-commerce framework.
These attacks are possible by escaping the context of the web application and injecting malicious scripts in an otherwise trusted website. These scripts can introduce additional attributes (say, a "new" option in a dropdown list or a new link to a malicious site) and can potentially execute code on the clients side, unbeknown to the victim. This occurs when characters like \< > \" \' are not escaped properly.
There are a few types of XSS:
- Persistent XSS is an attack in which the malicious code persists into the web app’s database.
- Reflected XSS is an which the website echoes back a portion of the request. The attacker needs to trick the user into clicking a malicious link (for instance through a phishing email or malicious JS on another page), which triggers the XSS attack.
You can read more about
Cross-site Scripting (XSS) on our blog.
solidus_backend to version 1.2.1 or higher.
Do your applications use this vulnerable package?
- John Hawthorn
- Snyk ID
- 16 Feb, 2016
- 10 Jan, 2018