logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-27400 openmage/magento-lts

Package

Manager: composer
Name: openmage/magento-lts
Vulnerable Version: >=0 <20.12.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00212 pctl0.43781

Details

Magento LTS vulnerable to stored XSS in theme config fields As reported by [Aakash Adhikari](https://hackerone.com/dark_haxor), Github: @justlife4x4, the Design > Themes > Skin (Images / CSS) config field allows a Stored XSS when it contains an end script tag. ### Impact A malicious user with access to this configuration field could use a Stored XSS to affect other authenticated admin users in the admin panel. The attack requires an admin user with configuration access, so in practice, it is not very likely to be used for gaining elevated privileges, although it could theoretically be used to impersonate other users. ![image](https://github.com/user-attachments/assets/fd5b8f31-bf0c-4e87-8b50-03c6c8428bed)

Metadata

Created: 2025-03-03T19:47:12Z
Modified: 2025-03-03T19:47:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-5pxh-89cx-4668/GHSA-5pxh-89cx-4668.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-5pxh-89cx-4668
Finding: F425
Auto approve: 1