Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05ajV3LTJjcWMtY3dqOc4AA3oh
Magento LTS vulnerable to Stored XSS via TinyMCE WYSIWYG Editor
From HackerOne report #1948040 by Halit AKAYDIN (hltakydn)
Impact
What kind of vulnerability is it? Who is impacted?
The TinyMCE WYSIWYG editor fails to filter scripts when rendering the HTML in specially crafted HTML tags.
Patches
Has the problem been patched? What versions should users upgrade to?
This vulnerability was fixed in version 20.2.0 by upgrading TinyMCE to a recent version in https://github.com/OpenMage/magento-lts/pull/3220
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
The WYSIWYG editor features could be disabled in the configuration. Possibly some WAF appliances would filter this attack.
References
Are there any links users can visit to find out more?
The attack is simply an exploit of the "onmouseover" attribute of an img
element as described on OWASP XSS Filter Evasion
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05ajV3LTJjcWMtY3dqOc4AA3oh
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 5 months ago
Updated: 5 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L
Identifiers: GHSA-9j5w-2cqc-cwj9
References:
- https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9j5w-2cqc-cwj9
- https://github.com/OpenMage/magento-lts/pull/3220
- https://hackerone.com/reports/1948040
- https://github.com/OpenMage/magento-lts/releases/tag/v20.2.0
- https://github.com/advisories/GHSA-9j5w-2cqc-cwj9
Blast Radius: 11.2
Affected Packages
packagist:openmage/magento-lts
Dependent packages: 21Dependent repositories: 31
Downloads: 147,065 total
Affected Version Ranges: < 20.2.0
Fixed in: 20.2.0
All affected versions: 19.4.0, 19.4.1, 19.4.2, 19.4.3, 19.4.4, 19.4.5, 19.4.6, 19.4.7, 19.4.8, 19.4.9, 19.4.10, 19.4.11, 19.4.12, 19.4.13, 19.4.14, 19.4.15, 19.4.16, 19.4.17, 19.4.18, 19.4.19, 19.4.20, 19.4.21, 19.4.22, 19.4.23, 19.5.0, 19.5.1, 19.5.2, 19.5.3, 20.0.0, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5, 20.0.6, 20.0.7, 20.0.8, 20.0.10, 20.0.11, 20.0.12, 20.0.13, 20.0.14, 20.0.15, 20.0.16, 20.0.17, 20.0.18, 20.0.19, 20.0.20, 20.1.0, 20.1.1
All unaffected versions: 20.2.0, 20.3.0, 20.4.0, 20.5.0, 20.6.0