Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-gp6m-fq6h-cjcx: Magento LTS vulnerable to stored XSS in admin file form

Summary

OpenMage is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.

Details

Mage_Adminhtml_Block_System_Config_Form_Field_File does not escape filename value in certain situations. Same as: https://nvd.nist.gov/vuln/detail/CVE-2024-20717

PoC

  1. Create empty file with this filename: <img src=x onerror=alert(1)>.crt
  2. Go to System > Configuration > Sales | Payment Methonds.
  3. Click Configure on PayPal Express Checkout.
  4. Choose API Certificate from dropdown API Authentication Methods.
  5. Choose the XSS-file and click Save Config.
  6. Profit, alerts “1” -> XSS.
  7. Reload, alerts “1” -> Stored XSS.

Impact

Affects admins that have access to any fileupload field in admin in core or custom implementations. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

ghsa
Open in Source
#xss#vulnerability#git#java#auth
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. GHSA-gp6m-fq6h-cjcx

Magento LTS vulnerable to stored XSS in admin file form

Moderate severity GitHub Reviewed Published Feb 27, 2024 in OpenMage/magento-lts • Updated Feb 27, 2024

Package

composer openmage/magento-lts (Composer)

Affected versions

>= 20.0.0, < 20.5.0

< 19.5.3

Patched versions

20.5.0

19.5.3

Summary

OpenMage is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.

Details

Mage_Adminhtml_Block_System_Config_Form_Field_File does not escape filename value in certain situations.
Same as: https://nvd.nist.gov/vuln/detail/CVE-2024-20717

PoC

  1. Create empty file with this filename: <img src=x onerror=alert(1)>.crt
  2. Go to System > Configuration > Sales | Payment Methonds.
  3. Click Configure on PayPal Express Checkout.
  4. Choose API Certificate from dropdown API Authentication Methods.
  5. Choose the XSS-file and click Save Config.
  6. Profit, alerts “1” -> XSS.
  7. Reload, alerts “1” -> Stored XSS.

Impact

Affects admins that have access to any fileupload field in admin in core or custom implementations.
Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

References

  • GHSA-gp6m-fq6h-cjcx
  • https://nvd.nist.gov/vuln/detail/CVE-2024-20717

Published to the GitHub Advisory Database

Feb 27, 2024

Last updated

Feb 27, 2024

ghsa: Latest News

GHSA-9722-9j67-vjcr: Improper Authorization in Select Permissions
ghsa