GitHub Advisory DatabaseGHSA-GP6M-FQ6H-CJCXMagento LTS vulnerable to stored XSS in admin file form
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
17.4%
Summary
OpenMage is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.
Details
Mage_Adminhtml_Block_System_Config_Form_Field_File does not escape filename value in certain situations.
Same as: https://nvd.nist.gov/vuln/detail/CVE-2024-20717
PoC
- Create empty file with this filename:
<img src>.crt - Go to System > Configuration > Sales | Payment Methonds.
- Click Configure on PayPal Express Checkout.
- Choose API Certificate from dropdown API Authentication Methods.
- Choose the XSS-file and click Save Config.
- Profit, alerts β1β -> XSS.
- Reload, alerts β1β -> Stored XSS.
Impact
Affects admins that have access to any fileupload field in admin in core or custom implementations.
Malicious JavaScript may be executed in a victimβs browser when they browse to the page containing the vulnerable field.
Affected configurations
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
17.4%