Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1ncDZtLWZxNmgtY2pjeM4AA5jQ

Magento LTS vulnerable to stored XSS in admin file form

Summary

OpenMage is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.

Details

Mage_Adminhtml_Block_System_Config_Form_Field_File does not escape filename value in certain situations.
Same as: https://nvd.nist.gov/vuln/detail/CVE-2024-20717

PoC

1. Create empty file with this filename: <img src=x onerror=alert(1)>.crt
2. Go to System > Configuration > Sales | Payment Methonds.
3. Click Configure on PayPal Express Checkout.
4. Choose API Certificate from dropdown API Authentication Methods.
5. Choose the XSS-file and click Save Config.
6. Profit, alerts "1" -> XSS.
7. Reload, alerts "1" -> Stored XSS.

Impact

Affects admins that have access to any fileupload field in admin in core or custom implementations.
Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Permalink: https://github.com/advisories/GHSA-gp6m-fq6h-cjcx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ncDZtLWZxNmgtY2pjeM4AA5jQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 months ago
Updated: about 2 months ago

CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-gp6m-fq6h-cjcx
References:

• https://github.com/OpenMage/magento-lts/security/advisories/GHSA-gp6m-fq6h-cjcx
• https://nvd.nist.gov/vuln/detail/CVE-2024-20717
• https://github.com/advisories/GHSA-gp6m-fq6h-cjcx

Repository: https://github.com/OpenMage/magento-lts
Blast Radius: 8.1

Affected Packages