Lookup for vulnerable packages by Package URL.
| Purl | pkg:composer/openmage/magento-lts@20.5.0 |
|---|
| Type | composer |
|---|
| Namespace | openmage |
|---|
| Name | magento-lts |
|---|
| Version | 20.5.0 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | false |
|---|
| Next_non_vulnerable_version | 19.4.6 |
|---|
| Latest_non_vulnerable_version | 20.18.0 |
|---|
| Affected_by_vulnerabilities |
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-c9gq-husm-87bb |
| vulnerability_id |
VCID-c9gq-husm-87bb |
| summary |
Magento LTS vulnerable to stored XSS in admin file form
### Summary
OpenMage is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.
### Details
`Mage_Adminhtml_Block_System_Config_Form_Field_File` does not escape filename value in certain situations.
Same as: https://nvd.nist.gov/vuln/detail/CVE-2024-20717
### PoC
1. Create empty file with this filename: `<img src=x onerror=alert(1)>.crt`
2. Go to _System_ > _Configuration_ > _Sales | Payment Methonds_.
3. Click **Configure** on _PayPal Express Checkout_.
4. Choose **API Certificate** from dropdown _API Authentication Methods_.
5. Choose the XSS-file and click **Save Config**.
6. Profit, alerts "1" -> XSS.
7. Reload, alerts "1" -> Stored XSS.
### Impact
Affects admins that have access to any fileupload field in admin in core or custom implementations.
Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-gp6m-fq6h-cjcx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c9gq-husm-87bb |
|
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.5.0 |
|---|