Headline
GHSA-9j5w-2cqc-cwj9: Magento LTS vulnerable to Stored XSS via TinyMCE WYSIWYG Editor
From HackerOne report #1948040 by Halit AKAYDIN (hltakydn)
Impact
What kind of vulnerability is it? Who is impacted?
The TinyMCE WYSIWYG editor fails to filter scripts when rendering the HTML in specially crafted HTML tags.
Patches
Has the problem been patched? What versions should users upgrade to?
This vulnerability was fixed in version 20.2.0 by upgrading TinyMCE to a recent version in https://github.com/OpenMage/magento-lts/pull/3220
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
The WYSIWYG editor features could be disabled in the configuration. Possibly some WAF appliances would filter this attack.
References
Are there any links users can visit to find out more?
The attack is simply an exploit of the “onmouseover” attribute of an img
element as described on OWASP XSS Filter Evasion
From HackerOne report #1948040 by Halit AKAYDIN (hltakydn)
Impact
What kind of vulnerability is it? Who is impacted?
The TinyMCE WYSIWYG editor fails to filter scripts when rendering the HTML in specially crafted HTML tags.
Patches
Has the problem been patched? What versions should users upgrade to?
This vulnerability was fixed in version 20.2.0 by upgrading TinyMCE to a recent version in OpenMage/magento-lts#3220
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
The WYSIWYG editor features could be disabled in the configuration. Possibly some WAF appliances would filter this attack.
References
Are there any links users can visit to find out more?
The attack is simply an exploit of the “onmouseover” attribute of an img element as described on OWASP XSS Filter Evasion
References
- GHSA-9j5w-2cqc-cwj9
- OpenMage/magento-lts#3220
- https://hackerone.com/reports/1948040
- https://github.com/OpenMage/magento-lts/releases/tag/v20.2.0