VirtueMart 3.1.14 - Persistent Cross-Site Scripting
- Date Published:2018-05-17
- Last Updated:2018-05-17
- Version Affected: VirtueMart<3.1.14
- CVE: CVE-2018-7465
VirtueMart is Joomla's best e-Mall component. It has some great features, such as support for 128-bit HTTPS encryption, support for different language switching, support for different currency switching, etc. Registered users can manage user accounts in the trading system built by VirtueMart. Manage shipping addresses, view transaction records, customize order email alerts, and more. VirtueMart is very powerful, and most importantly, VirtueMart is open source.
An XSS issue was discovered in VirtueMart before 3.2.14. All the textareas in the admin area of the plugin can be closed by simply adding </textarea> to the value and saving the product/config. By editing back the product/config, the editor's browser will execute everything after the </textarea>, leading to a possible XSS.
1.At present, the manufacturer has not provided a patch or an upgrade procedure. We recommend that users who use this software keep an eye on the vendor's homepage to obtain the latest version:
2.Customers who buy the next-generation firewall of Sangfor can turn on the WAF defense module to easily defend against such vulnerabilities