Hi Akshay,

Thank you for your report, we confirmed this is a problem and forwarded the issue to the appropriate team.

I am suggesting changing the CVSS metric from UI:N to UI:R as the user needs to for example be tricked into clicking a malicious link.

While reviewing your report we also found that on top of CWE-79, the parameter ?next=... is vulnerable to open-redirects (CWE-601) by for example passing https:google.com or https:\\google.com. CVSS rating: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N (medium 4.3).

For both CWE-79 and CWE-601, the issue was improperly fixed in January at https://github.com/saleor/react-storefront/commit/591a17ee2ccfaf52658b76909cf3abd80e9ad50c.

We will be updating you on the details soon.

Hello @maintainer @Mikail

I have updated the report and also changed the CVSS UI:N to UI:R

I forgot to say that, Seven months ago, I submitted this issue through Bugcrowd. At that time, there was a program hosting an open-source repository where they had forked the Saleor dashboard. I mistakenly believed it was within the program's scope, so I reported this same issue via Bugcrowd. However, they advised me to report it directly to the Saleor team. Regrettably, I forgot to follow up with the Saleor team at that time.

@Mikail, could you pls assign a CVE for this issue? Thanks

@admin I see you are a CNA, could it be possible for you to assign two CVEs for this project?

CVE #1: CWE-79, XSS vulnerability in login page redirect URL - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

CVE #2: CWE-601, Open redirect vulnerability in login page redirect URL - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Note that this project doesn't have any version number and the team responsible for this project mentioned they do not wish to start versioning as they are planning on archiving the project soon. Hopefully it would still be possible to issue CVE numbers.

We will be inviting users to upgrade to a specific commit once the vulnerability is disclosed.

@admin As per maintainers request i have created another report, the older report was this one https://huntr.dev/bounties/04c4d4ef-3208-48bd-8e86-e35c60335905 which have a bounty amount of $75, can i get the same for this migrated report also?

Also please assign a CVE for this report, thanks

The fix is ready on our end. @admin, any info and time estimation about the CVEs? The details about the requested CVEs are available in our previous @admin mention.

On it :)

Hi Mikail, if you could please mark as fixed with the commit SHA as the fix version, this will assign a CVE to the report. We can only assign one CVE per report but I will hapilly assign and publish a second one as you requested, it just won't be visible on this report page. Thanks:)

@admin

As per maintainers request i have created another report, the older report was this one https://huntr.dev/bounties/04c4d4ef-3208-48bd-8e86-e35c60335905 which have a bounty amount of $75, can i get the same for this migrated report also?

Hey Akshay,

The previous repository was sponsored but the corrected repository is not sponsored, so we will be unable to award a bounty in this case. If you truly find a vulnerability in saleor/saleor we can reward a bounty:)

@maintainer @Mikail,

please mark as fixed with the commit SHA

Just published the advisories:

• https://github.com/saleor/react-storefront/security/advisories/GHSA-q3fv-6cg3-pm72
• https://github.com/saleor/react-storefront/security/advisories/GHSA-wq85-q492-8vxv

Patch is available at https://github.com/saleor/react-storefront/commit/c29aab226f07ca980cc19787dcef101e11b83ef7.