Site still vulnerable to APPSEC-1213 after installing SUPEE-7405
https://magento.stackexchange.com/questions/98884
-
09-12-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I installed SUPEE-7405 and everything appeared to go smoothly with no errors, however I tested out the exploit described here and to my horror the site still allows me to create an account with an email address like:
"<script>alert(1);</script>"@example.com
I would assume that whatever file was changed to fix APPSEC-1213 is being overridden by an extension somewhere, but how can I even find out what file was changed to fix APPSEC-1213?
Solution
For anyone wondering, the fix for this exploit was in app/design/adminhtml/default/default/template/sales/order/view/info.phtml and that template was being overridden by cart2quote. Anyone using cart2quote on their magento site should be aware that they are still vulnerable to APPSEC-1213 even after installing SUPEE-7405
