Following a feedback regarding a potential privilege escalation attack via the product description edition in the backend, we've made some changes to HikaShop.
In this article, we'll cover here the details.
Someone reported to us that it is possible, for anyone with access to the product edition interface in the backend of HikaShop, to escalate their privileges through a XSS attack by injecting javascript in the description of the products with HikaShop until version 5.1.0. So that could allow them to gain super administrator access through this method.
Following this feedback, we've added a new option to choose whether you want to filter the HTML of the product description in the backend. It is activated by default and thus, this kind of attack won't be possible by default if you have HikaShop 5.1.1 or higher. Note that this also means that if you want to be able to add iframe tags or script tags in your products description, you'll have to turn off this setting.
The filtering of the product description was actually a hidden option already available in HikaShop. If you can't update your HikaShop, and want to make sure this attack is not possible on your website via this vector, you can go in your PHPMyAdmin, and add an entry with the namekey safe_product_description and the value 1 in the hikashop_config table.
Keep in touch folks.
Team HikaShop