Skip to content

Instantly share code, notes, and snippets.

@enferas

enferas/CVE-2023-23010.md

Last active January 21, 2023 11:53
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save enferas/8a836008e9f635a2f80d09c9a8b5a533 to your computer and use it in GitHub Desktop.
Save enferas/8a836008e9f635a2f80d09c9a8b5a533 to your computer and use it in GitHub Desktop.
Download ZIP
XSS in Ecommerce-CodeIgniter-Bootstrap
Raw
CVE-2023-23010.md

CVE-2023-23010 is assigned

Link: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap

Patch: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/commit/d5904379ca55014c5df34c67deda982c73dc7fe5

Mutiple XSS vulnerabilities.

In file Ecommerce-CodeIgniter-Bootstrap-master\application\modules\vendor\views\add_product.php

<?php foreach ($languages as $language) { ?>
<button type="button" data-locale-change="<?= $language->abbr ?>" class="btn btn-default locale-change text-uppercase <?= $language->abbr == MY_DEFAULT_LANGUAGE_ABBR ? 'active' : '' ?>">
    <img src="<?= base_url('attachments/lang_flags/' . $language->flag) ?>" alt="">
    <?= $language->abbr ?>
</button>
<?php } ?>
</div>
<?php
$i = 0;
foreach ($languages as $language) {
?>
<div class="locale-container locale-container-<?= $language->abbr ?>" <?= $language->abbr == MY_DEFAULT_LANGUAGE_ABBR ? 'style="display:block;"' : '' ?>>
<input type="hidden" name="translations[]" value="<?= $language->abbr ?>">
<div class="form-group">
    <img src="<?= base_url('attachments/lang_flags/' . $language->flag) ?>" alt="<?= $language->name ?>" class="language">
    <input type="text" name="title[]" placeholder="<?= lang('vendor_product_name') ?>" value="<?= $trans_load != null && isset($trans_load[$language->abbr]['title']) ? $trans_load[$language->abbr]['title'] : '' ?>" class="form-control">
</div> 
<label><?= lang('vendor_product_description') ?> <img src="<?= base_url('attachments/lang_flags/' . $language->flag) ?>" alt="<?= $language->name ?>"></label>
//...

$languages and $trans_load are loaded from the DB and not sanitized.

In file Ecommerce-CodeIgniter-Bootstrap-master\application\modules\vendor\controllers\AddProduct.php

$data['languages'] = $this->Languages_model->getLanguages();
//...
$this->load->view('add_product', $data);

In file Ecommerce-CodeIgniter-Bootstrap-master\application\modules\admin\models\Languages_model.php

public function getLanguages(){
    $query = $this->db->query('SELECT * FROM languages');
    return $query->result();
}

public function setLanguage($post){
    $post['name'] = strtolower($post['name']);
    $post['abbr'] = strtolower($post['abbr']);
    if (!$this->db->insert('languages', $post)) {
        log_message('error', print_r($this->db->error(), true));
        show_error(lang('database_error'));
    }
}

The setLanguage method is called in file Ecommerce-CodeIgniter-Bootstrap-master\application\modules\admin\controllers\advanced_settings\Languages.php

$this->Languages_model->setLanguage($_POST);

There are other similar vulnerabilities that I can provide them if you confirm my report.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment