Xingfuggz BaykeShop Cross-Site Scripting Vulnerability in Article Sidebar Module

A stored cross-site scripting vulnerability has been identified in Xingfuggz BaykeShop versions through 1.3.20. The issue resides in the Article Sidebar Module, specifically within the file 'src/baykeshop/contrib/article/templates/baykeshop/sidebar/custom.html'. The vulnerability is caused by the 'sidebar.content' field being rendered without proper escaping, allowing attackers to inject arbitrary HTML or JavaScript. This injected content is then executed in the browsers of all visitors who view the affected sidebar.

Impact

Exploitation of this vulnerability allows for session hijacking, credential theft, and execution of administrative actions on behalf of the victim. In a real-world scenario, a low-privileged editor could compromise all visitors, including superusers, leading to a complete takeover of the site.

Reproduction

To reproduce this vulnerability, log into the BaykeShop admin panel with a user that has permission to edit sidebars. Navigate to the Sidebar management section and either select an existing sidebar or create a new one. In the 'Content' field, insert a script tag payload, such as '<script>alert("XSS Vulnerability");</script>'. After saving the sidebar, the injected script will execute in the browser of anyone who views the page with the sidebar.

Remediation

The immediate fix is to remove the '|safe' filter from the sidebar content rendering and use Django's default auto-escaping. If the sidebar is meant to contain safe HTML, implement a strict HTML sanitizer like Bleach or django-bleach to allow only safe tags and attributes.