GHSA-gp6m-fq6h-cjcx – openmage/magento-lts

Package

Manager: composer
Name: openmage/magento-lts
Vulnerable Version: >=20.0.0 <20.5.0 || >=0 <19.5.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Magento LTS vulnerable to stored XSS in admin file form ### Summary OpenMage is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. ### Details `Mage_Adminhtml_Block_System_Config_Form_Field_File` does not escape filename value in certain situations. Same as: https://nvd.nist.gov/vuln/detail/CVE-2024-20717 ### PoC 1. Create empty file with this filename: `<img src=x onerror=alert(1)>.crt` 2. Go to _System_ > _Configuration_ > _Sales | Payment Methonds_. 3. Click **Configure** on _PayPal Express Checkout_. 4. Choose **API Certificate** from dropdown _API Authentication Methods_. 5. Choose the XSS-file and click **Save Config**. 6. Profit, alerts "1" -> XSS. 7. Reload, alerts "1" -> Stored XSS. ### Impact Affects admins that have access to any fileupload field in admin in core or custom implementations. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Metadata

Created: 2024-02-27T21:47:58Z
Modified: 2024-03-04T04:29:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-gp6m-fq6h-cjcx/GHSA-gp6m-fq6h-cjcx.json
CWE IDs: ["CWE-79"]
Alternative ID: N/A
Finding: F425
Auto approve: 1