Magento Commerce Widget Form (Core) XSS Vulnerability

While online business gives us an increasingly helpful life, it is right now confronting a developing number of dangers all over the web. As per the Alexa top 1M web based business stages for 2018, the internet business stage Magento Commerce as of now appreciates in excess of a 14% piece of the overall industry, making it the second biggest web based business stage on the planet. Magento’s clients incorporate some profoundly conspicuous organizations, including HP, Coca-Cola, and Canon.

The FortiGuard Labs group as of late found a Cross-Site Scripting (XSS) powerlessness in Magento. This XSS weakness is brought about by Magento neglecting to clean client provided information before embeddings it into a progressively created gadget frame. While this XSS powerlessness just exists on the Magento Administrator’s page, it could enable a remote aggressor to execute self-assertive code on an unfortunate casualty’s program and afterward gain control of Magento high-benefit records to get to touchy information or take control of the defenseless sites.

This XSS weakness influences Magento Commerce 2.1 preceding 2.1.16, Magento Commerce 2.2 before 2.2.7.

Examination

When altering a Magento site page, there are two modes: WYSIWYG Mode and HTML Mode. In the WYSIWYG Mode, one of the catches is classified “Embed Widget… “(see Figure 1). Figure 2 demonstrates that we can straightforwardly consider the Insert Widget capacity’s shape by getting to the connection http://IP/magento/index.php/administrator/administrator/gadget/list/.

The frame in Figure 2 is created by a php work in Widget.php, which is situated at/merchant/magento/module-gadget/Block/Adminhtml/Widget.php (GitHub interface). It forms the client provided URL, channels the estimation of the parameter “widget_target_id”, and embeds it into a content tag, as appeared in Figure 3. For instance, when we get to t