Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS05ajV3LTJjcWMtY3dqOc4AA3oh

Magento LTS vulnerable to Stored XSS via TinyMCE WYSIWYG Editor

From HackerOne report #1948040 by Halit AKAYDIN (hltakydn)

Impact

What kind of vulnerability is it? Who is impacted?

The TinyMCE WYSIWYG editor fails to filter scripts when rendering the HTML in specially crafted HTML tags.

Patches

Has the problem been patched? What versions should users upgrade to?

This vulnerability was fixed in version 20.2.0 by upgrading TinyMCE to a recent version in https://github.com/OpenMage/magento-lts/pull/3220

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

The WYSIWYG editor features could be disabled in the configuration. Possibly some WAF appliances would filter this attack.

References

Are there any links users can visit to find out more?

The attack is simply an exploit of the "onmouseover" attribute of an img element as described on OWASP XSS Filter Evasion

Permalink: https://github.com/advisories/GHSA-9j5w-2cqc-cwj9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05ajV3LTJjcWMtY3dqOc4AA3oh
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 5 months ago
Updated: 5 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L

Identifiers: GHSA-9j5w-2cqc-cwj9
References:

• https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9j5w-2cqc-cwj9
• https://github.com/OpenMage/magento-lts/pull/3220
• https://hackerone.com/reports/1948040
• https://github.com/OpenMage/magento-lts/releases/tag/v20.2.0
• https://github.com/advisories/GHSA-9j5w-2cqc-cwj9

Repository: https://github.com/OpenMage/magento-lts
Blast Radius: 11.2

Affected Packages