CVE-2020-29587

Name of the Vulnerable Software and Affected Versions: SimplCommerce version 1.0.0-rc

Description: The issue arises from the use of the Bootbox.js library in SimplCommerce, which allows for the creation of programmatic dialog boxes using Bootstrap modals. This library does not sanitize user input, resulting in a DOM XSS vulnerability. The vulnerability occurs because the library uses the jQuery .html() function to directly append the payload to a dialog, allowing for the execution of malicious code.

Recommendations: For SimplCommerce version 1.0.0-rc, consider disabling the use of the Bootbox.js library until a patch is available, or restrict the input allowed to be appended to the dialog box to prevent malicious code execution. As a temporary workaround, avoid using the .html() function to append user input to the dialog box.