CVE-2024-38963
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into product review fields in nopCommerce 4.70.1. When users view these reviews, the scripts execute in their browsers, potentially stealing session cookies or performing unauthorized actions. All nopCommerce 4.70.1 installations with product review functionality enabled are affected.
💻 Affected Systems
- nopCommerce
📦 What is this software?
Nopcommerce by Nopcommerce
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain administrative access, and compromise the entire e-commerce platform including customer data and payment information.
Likely Case
Attackers steal user session cookies to hijack accounts, deface product pages with malicious content, or redirect users to phishing sites.
If Mitigated
Scripts execute but cannot access sensitive data due to proper Content Security Policy and cookie security settings.
🎯 Exploit Status
Exploitation requires user interaction (viewing malicious reviews). Public proof-of-concept demonstrates injection via review submission form.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.70.2 or later
Vendor Advisory: https://github.com/nopSolutions/nopCommerce/issues/7224
Restart Required: No
Instructions:
1. Backup your nopCommerce installation and database. 2. Download nopCommerce 4.70.2 or later from the official repository. 3. Replace affected files with patched versions. 4. Clear application cache. 5. Test review functionality.
🔧 Temporary Workarounds
Disable Product Reviews
allTemporarily disable the product review functionality to prevent exploitation.
Navigate to Admin Panel > Configuration > Settings > Catalog Settings > Product Reviews > Disable 'Allow customers to write product reviews'
Input Validation Filter
allAdd server-side input validation to sanitize review title and text fields.
Implement HTML encoding for AddProductReview.Title and AddProductReview.ReviewText parameters before storing in database
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Enable HttpOnly and Secure flags on session cookies to limit cookie theft
🔍 How to Verify
Check if Vulnerable:
Submit a product review with <script>alert('XSS')</script> in title or review text fields. If alert executes when viewing review, system is vulnerable.Check Version:
Check Admin Panel > System > System Information or examine web.config/appsettings.json for version informationVerify Fix Applied:
Attempt the same XSS payload after patching. Alert should not execute and payload should be displayed as plain text.📡 Detection & Monitoring
Log Indicators:
- Unusually long review submissions
- Review submissions containing script tags or JavaScript patterns
- Multiple review submissions from same IP
Network Indicators:
- HTTP POST requests to /productreviews/add with suspicious payloads in parameters
SIEM Query:
source="web_server_logs" AND (uri_path="/productreviews/add" AND (param="AddProductReview.Title" OR param="AddProductReview.ReviewText") AND (content="<script" OR content="javascript:"))