concrete5: Cross-Site Scripting in getMarketplacePurchaseFrame

ID H1:6843
Type hackerone
Reporter melvin
Modified 2014-08-18T16:56:20


The $mp->getProductBlockID() variable in the getMarketplacePurchaseFrame function (view on Github) is not being filtered properly to protect against HTML injection/XSS.

This leads to XSS vulnerabilities in (for example) connect.php on line 14 (view on Github) when visiting a URL like: dashboard/extend/connect/"%20onmouseover="alert(document.cookie)">.