HikaShop, 5.1.1, 3rd party extension, XSS (Cross Site Scripting)
HikaShopVersion: Old 5.1.0 / New 5.1.
1Update details: Someone reported to us that it is possible, for anyone with access to the product edition interface in the backend of HikaShop, to escalate their privileges through a XSS attack by injecting javascript in the description of the products with HikaShop until version 5.1.0.
So that could allow them to gain super administrator access through this method.
Following this feedback, we've added a new option to choose whether you want to filter the HTML of the product description in the backend.
It is activated by default and thus, this kind of attack won't be possible by default if you have HikaShop 5.1.1 or higher.
Changelog URL: https://www.hikashop.com/support/documentation/56-hikashop-changelog.html
Download URL: https://www.hikashop.com/extensions/hikashop-starter.html