{"url":"http://public2.vulnerablecode.io/api/packages/373518?format=json","purl":"pkg:composer/openmage/magento-lts@19.5.0","type":"composer","namespace":"openmage","name":"magento-lts","version":"19.5.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"20.17.0","latest_non_vulnerable_version":"20.18.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/10473?format=json","vulnerability_id":"VCID-6m5f-vc15-xqfa","summary":"Magento LTS vulnerable to stored XSS in admin file form\n### Summary\nOpenMage is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.\n\n### Details\n`Mage_Adminhtml_Block_System_Config_Form_Field_File` does not escape filename value in certain situations.\nSame as: https://nvd.nist.gov/vuln/detail/CVE-2024-20717\n\n### PoC\n1. Create empty file with this filename: `<img src=x onerror=alert(1)>.crt`\n2. Go to _System_ > _Configuration_ > _Sales | Payment Methonds_.\n3. Click **Configure** on _PayPal Express Checkout_.\n4. Choose **API Certificate** from dropdown _API Authentication Methods_.\n5. Choose the XSS-file and click **Save Config**.\n6. Profit, alerts \"1\" -> XSS.\n7. Reload, alerts \"1\" -> Stored XSS.\n\n### Impact\nAffects admins that have access to any fileupload field in admin in core or custom implementations.\nMalicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.","references":[{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-gp6m-fq6h-cjcx","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-gp6m-fq6h-cjcx"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-20717","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-20717"},{"reference_url":"https://github.com/advisories/GHSA-gp6m-fq6h-cjcx","reference_id":"GHSA-gp6m-fq6h-cjcx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gp6m-fq6h-cjcx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/27035?format=json","purl":"pkg:composer/openmage/magento-lts@19.5.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jasf-wx9g-bfgd"},{"vulnerability":"VCID-rrwm-cehn-3bdu"},{"vulnerability":"VCID-tz1g-dasb-yydg"},{"vulnerability":"VCID-u5e2-hr8w-vbc3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@19.5.3"},{"url":"http://public2.vulnerablecode.io/api/packages/27034?format=json","purl":"pkg:composer/openmage/magento-lts@20.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jasf-wx9g-bfgd"},{"vulnerability":"VCID-rrwm-cehn-3bdu"},{"vulnerability":"VCID-tz1g-dasb-yydg"},{"vulnerability":"VCID-u5e2-hr8w-vbc3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.5.0"}],"aliases":["GHSA-gp6m-fq6h-cjcx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6m5f-vc15-xqfa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36645?format=json","vulnerability_id":"VCID-75np-uapr-5ye3","summary":"Magento LTS vulnerable to Stored XSS via TinyMCE WYSIWYG Editor\nFrom HackerOne report [#1948040](https://hackerone.com/reports/1948040) by Halit AKAYDIN (hltakydn)\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nThe TinyMCE WYSIWYG editor fails to filter scripts when rendering the HTML in specially crafted HTML tags.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThis vulnerability was fixed in version 20.2.0 by upgrading TinyMCE to a recent version in https://github.com/OpenMage/magento-lts/pull/3220\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nThe WYSIWYG editor features could be disabled in the configuration. Possibly some WAF appliances would filter this attack.\n\n### References\n_Are there any links users can visit to find out more?_\n\nThe attack is simply an exploit of the \"onmouseover\" attribute of an `img` element as described on [OWASP XSS Filter Evasion](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)","references":[{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/pull/3220","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/pull/3220"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.2.0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.2.0"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9j5w-2cqc-cwj9","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9j5w-2cqc-cwj9"},{"reference_url":"https://hackerone.com/reports/1948040","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1948040"},{"reference_url":"https://github.com/advisories/GHSA-9j5w-2cqc-cwj9","reference_id":"GHSA-9j5w-2cqc-cwj9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9j5w-2cqc-cwj9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69184?format=json","purl":"pkg:composer/openmage/magento-lts@20.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6m5f-vc15-xqfa"},{"vulnerability":"VCID-jasf-wx9g-bfgd"},{"vulnerability":"VCID-rrwm-cehn-3bdu"},{"vulnerability":"VCID-tz1g-dasb-yydg"},{"vulnerability":"VCID-u5e2-hr8w-vbc3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.2.0"}],"aliases":["GHSA-9j5w-2cqc-cwj9","GMS-2023-5656"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-75np-uapr-5ye3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35660?format=json","vulnerability_id":"VCID-89cm-wc32-tkep","summary":"Magento LTS's guest order \"protect code\" can be brute-forced too easily\n# Impact\n\nGuest orders may be viewed without authentication using a \"guest-view\" cookie which contains the order's \"protect_code\". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack.\n\n# Patches\n\nNone.\n\n# Workarounds\n\nImplementing rate-limiting at the web server would help mitigate the issue. In particular, a very strict rate limit (e.g. 1 per minute per IP) for the specific route (`sales/guest/view/`) would effectively mitigate the issue.\n\n# References\n\nEmail from Frank Rochlitzer (f.rochlitzer@b3-it.de) to security@openmage.org:\n\n## Summary\n\nThe German Federal Office for Information Security (BSI) found the following flaw in OpenMage through a commissioned pen test:\nThe web application was found to accept certain requests even without prior strong authentication if the person making the request has data that is non-public but also not secret, such as easily\neasily guessed transaction numbers or names.\nAttacking entities could possibly exploit this to retrieve sensitive information using this easier-to-obtain data and by trying random numbers.\n\n## Details\n\nCustomers who place an order without an account can subsequently retrieve the order data or invoice data by specifying individual information.\nTechnically, the access is realized by specifying the cookie guest-view. The value of the cookie is Base64 encoded and contains a random value and the order number. The random value consists of six characters, where these are taken from the alphabet [0-9a-f]. In the best case, i.e. when using a cryptographically secure random number generator, this corresponds to an entropy of 24 bits. Furthermore, the order numbers are assigned incrementally, so that the number range can be narrowed down or an upper limit determined by placing an order.\nSpecifically, this results in the risk that an attacking entity can iterate over all possible values of the cookie's random value. If successful, the billing address, shipping address, payment details and the ordered items can be viewed. The attack only works for orders made as a guest.\n\n## PoC\n\nThe request/response pair shows the retrieval of an order. It should be noted in particular, that the cookie is not bound to a session. The response has been formatted for formatted for readability.\n\nRequest:\n```\n1 GET /magento19/index.php/default/sales/guest/view/ HTTP/1.1\n2 Host: localhost.local\n3 Cookie: guest-view=MzYyYzI4OjEwMDAwMDQzMQ%3D%3D;\n4 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0\n5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\n6 Accept-Language: en-US,en;q=0.5\n7 Accept-Encoding: gzip, deflate\n8 Referer: https://localhost.local/magento19/index.php/default/egovs_checkout/multipage/successview/\n9 Upgrade-Insecure-Requests: 1\n10 Sec-Fetch-Dest: document\n11 Sec-Fetch-Mode: navigate\n12 Sec-Fetch-Site: same-origin\n13 Sec-Fetch-User: ?1\n14 Te: trailers\n15 Connection: close\n```\n\nResponse:\n\n```\n1 HTTP/1.1 200 OK\n2 Date: Tue, 13 Dec 2022 14:06:13 GMT\n3 Server: Apache\n4 Strict-Transport-Security: max-age=31536000; includeSubDomains\n5 X-Powered-By: PHP/7.4.6\n6 Set-Cookie: om_frontend=id7v84a05u8mm1j32t2kj5rbjl; expires=Tue, 13-Dec-2022 15:06:13 GMT; Max-Age=3600; path=/magento19/; domain=localhost.local; secure; HttpOnly\n7 Expires: Thu, 19 Nov 1981 08:52:00 GMT\n8 Cache-Control: no-store, no-cache, must-revalidate\n9 Pragma: no-cache\n10 Set-Cookie: om_frontend=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/magento19/; domain=localhost.local; secure; HttpOnly; SameSite=None\n11 Set-Cookie: om_frontend=o42vttknheaj0sr3q0381jipdp; expires=Tue, 13-Dec-2022 15:06:13 GMT; Max-Age=3600; path=/magento19/; domain=localhost.local; secure; HttpOnly\n12 Set-Cookie: guest-view=MzYyYzI4OjEwMDAwMDQzMQ%3D%3D; expires=Tue, 13-Dec-2022 14:16:13 GMT; Max-Age=600; path=/; domain=localhost.local; secure; HttpOnly; SameSite=None\n13 X-Frame-Options: SAMEORIGIN\n14 X-Content-Type-Options: nosniff\n15 X-XSS-Protection: 1; mode=block\n16 Referrer-Policy: same-origin\n17 Feature-Policy: geolocation 'self'; vibrate 'none'\n18 Content-Security-Policy: default-src 'self';script-src 'self' 'unsafe-inline' 'unsafeeval';\nstyle-src 'self' 'unsafe-inline';\n19 Connection: close\n20 Content-Type: text/html; charset=UTF-8\n21 Content-Length: 47876\n22\n23 <!DOCTYPE html>\n24 <html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"de\" lang=\"de\">\n25 […]\n26 <div class=\"page-title\">\n27 <h1>Bestellung #100000431 - Ausstehende Überweisung</h1>\n28 </div>\n29 […]\n30 <h2 class=\"feature-headline\">Versandadresse</h2>\n31 <div class=\"feature-content\">\n32 <address>\n33 Herr Vorname Nachname<br>\n34 Straße<br>\n35 Dresden, Brandenburg, 01067<br>\n36 Deutschland<br>\n37 </address>\n38 </div>\n39 […]\n40 <h2 class=\"feature-headline\">Rechnungsadresse</h2>\n41 <div class=\"feature-content\">\n42 <address>\n43 [color]Herr Vorname Nachname<br>\n44 Straße<br>\n45 Dresden, Brandenburg, 01067<br>\n46 Deutschland<br>[/color]\n47 </address>\n48 </div>\n49 […]\n50 <h2 class=\"feature-headline\">Zahlungsart</h2>\n51 <div class=\"feature-content\">\n52 <div class=\"block-content\">\n53 Vorkasse<br>\n54 <div id=\"bankpayment_account_info\" style=\"font-style: italic;\">Bankverbindung</div>\n55 <table class=\"data-table fieldset\">\n56 […]\n57 <h2 class=\"sub-title\">\n58 <span>Kassenzeichen: WS1712000349</span>\n59 </h2>\n60 <h2 class=\"sub-title\">Bestellte Artikel</h2>\n61 […]\n62 <td class=\"order-item-product\">\n63 <h3 class=\"product-name ellipsis-multi-line\">Testprodukt Kreditkarte</h3>\n64 […]\n65 <span class=\"price\">100,23 €</span>\n66 […]\n67 </html>\n```\n\n## Impact\n\nInformation disclosure.\nRead as well as write access to sensitive information of persons or accounts and the execution of actions on their behalf must always be secured by strong authentication. This can be ensured, for example, by enforcing strong passwords or MFA.\nFor temporary accesses to sensitive information, temporary passwords or\nauthentication tokens or comparable data that an attacking entity cannot easily guess or determine should be used. Random values should have sufficient entropy so that searching the number space is impractical for attacking entities.\nFurthermore, such queries should be limited by rate limiting.\nThe exact attack effort cannot be determined, since this requires the proportion of\nthe proportion of orders that were placed without an account and since the performance of the\nperformance of the production system is likely to differ from that of the test system.\nIn a test run, 1000 requests could be made within 36 seconds. Part of the execution is shown in the screenshot. The complete search of the number space for the random value would take 6 days 23 hours 46 minutes. Accordingly, the expected value is about 3.5 days. If every third order is executed without an account, the effort must be multiplied by a factor of 3.\n\nMit freundlichen Grüßen\n\nFrank Rochlitzer (github: theroch)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-41879","reference_id":"","reference_type":"","scores":[{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27758","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-41879"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-26T16:53:59Z/"}],"url":"https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-26T16:53:59Z/"}],"url":"https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-26T16:53:59Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-26T16:53:59Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-26T16:53:59Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41879","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41879"},{"reference_url":"https://github.com/advisories/GHSA-9358-cpvx-c2qp","reference_id":"GHSA-9358-cpvx-c2qp","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9358-cpvx-c2qp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67863?format=json","purl":"pkg:composer/openmage/magento-lts@19.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6m5f-vc15-xqfa"},{"vulnerability":"VCID-75np-uapr-5ye3"},{"vulnerability":"VCID-jasf-wx9g-bfgd"},{"vulnerability":"VCID-rrwm-cehn-3bdu"},{"vulnerability":"VCID-tz1g-dasb-yydg"},{"vulnerability":"VCID-u5e2-hr8w-vbc3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@19.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/67864?format=json","purl":"pkg:composer/openmage/magento-lts@20.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6m5f-vc15-xqfa"},{"vulnerability":"VCID-75np-uapr-5ye3"},{"vulnerability":"VCID-jasf-wx9g-bfgd"},{"vulnerability":"VCID-rrwm-cehn-3bdu"},{"vulnerability":"VCID-tz1g-dasb-yydg"},{"vulnerability":"VCID-u5e2-hr8w-vbc3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.1.1"}],"aliases":["CVE-2023-41879","GHSA-9358-cpvx-c2qp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-89cm-wc32-tkep"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/12993?format=json","vulnerability_id":"VCID-jasf-wx9g-bfgd","summary":"Magento LTS vulnerable to stored Cross-site Scripting (XSS) in admin system configs\n### Impact\n\nThis XSS vulnerability is about the system configs\n* design/header/welcome\n* design/header/logo_src\n* design/header/logo_src_small\n* design/header/logo_alt\n\nThey are intended to enable admins to set a text in the two cases, and to define an image url for the other two cases.\nBut because of previously missing escaping allowed to input arbitrary html and as a consequence also arbitrary JavaScript.\n\nWhile this is in most usage scenarios not a relevant issue, some people work with more restrictive roles in the backend. Here the ability to inject JavaScript with these settings would be an unintended and unwanted privilege.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_  \n\nThe problem is patched with Version 20.10.1 or higher.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_  \n\nPossible mitigations are\n* Restricting access to the System Configs \n* checking templates where these settings are used to apply proper html filtering\n\n### For Users relying on this possibility\n\nSome Users might actually rely on the ability to use html there.\nYou can restore the previous behavior by making use of the new introduced `->getUnescapedValue()` method on this escaped elements. Developers should have a look at the newly introduced `Mage_Core_Model_Security_HtmlEscapedString`\n\n### Credit\n\nCredit goes to  Aakash Adhikari @justlife4x4 for finding this issue","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41676","reference_id":"","reference_type":"","scores":[{"value":"0.00669","scoring_system":"epss","scoring_elements":"0.71637","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41676"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/484cf8afc550e98bbf2c03fbb29a8450a32e7948","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T15:41:02Z/"}],"url":"https://github.com/OpenMage/magento-lts/commit/484cf8afc550e98bbf2c03fbb29a8450a32e7948"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5vrp-638w-p8m2","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T15:41:02Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5vrp-638w-p8m2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41676","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41676"},{"reference_url":"https://github.com/advisories/GHSA-5vrp-638w-p8m2","reference_id":"GHSA-5vrp-638w-p8m2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5vrp-638w-p8m2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37448?format=json","purl":"pkg:composer/openmage/magento-lts@20.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rrwm-cehn-3bdu"},{"vulnerability":"VCID-tz1g-dasb-yydg"},{"vulnerability":"VCID-u5e2-hr8w-vbc3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.10.1"}],"aliases":["CVE-2024-41676","GHSA-5vrp-638w-p8m2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jasf-wx9g-bfgd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/31679?format=json","vulnerability_id":"VCID-rrwm-cehn-3bdu","summary":"Magento LTS vulnerable to stored XSS in theme config fields\nAs reported by [Aakash Adhikari](https://hackerone.com/dark_haxor), Github: @justlife4x4, the Design > Themes > Skin (Images / CSS) config field allows a Stored XSS when it contains an end script tag.\n\n### Impact\nA malicious user with access to this configuration field could use a Stored XSS to affect other authenticated admin users in the admin panel.\n\nThe attack requires an admin user with configuration access, so in practice, it is not very likely to be used for gaining elevated privileges, although it could theoretically be used to impersonate other users.\n\n![image](https://github.com/user-attachments/assets/fd5b8f31-bf0c-4e87-8b50-03c6c8428bed)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27400","reference_id":"","reference_type":"","scores":[{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34668","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27400"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/d307e5bf75729a2347dde0952fe9fd9fcd9c6aea","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-28T15:41:48Z/"}],"url":"https://github.com/OpenMage/magento-lts/commit/d307e5bf75729a2347dde0952fe9fd9fcd9c6aea"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.12.3","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-28T15:41:48Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.12.3"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.13.0","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-28T15:41:48Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.13.0"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5pxh-89cx-4668","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-28T15:41:48Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5pxh-89cx-4668"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27400","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27400"},{"reference_url":"https://github.com/advisories/GHSA-5pxh-89cx-4668","reference_id":"GHSA-5pxh-89cx-4668","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5pxh-89cx-4668"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64737?format=json","purl":"pkg:composer/openmage/magento-lts@20.12.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-tz1g-dasb-yydg"},{"vulnerability":"VCID-u5e2-hr8w-vbc3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.12.3"}],"aliases":["CVE-2025-27400","GHSA-5pxh-89cx-4668"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rrwm-cehn-3bdu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/32777?format=json","vulnerability_id":"VCID-tz1g-dasb-yydg","summary":"OpenMage vulnerable to XSS in Admin Notifications\n### Summary\nOpenMage versions v20.15.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.\n\n### Details\nUnescaped translation strings and URLs are printed into contexts inside `app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php`. A malicious translation or polluted data can inject script. \n- Link labels use __() without escaping.\n- ’deleteConfirm()’ embeds a message without escaping.\n\n### PoC\n1. Add XSS to admin locale (e.g. app/locale/en_US/local.csv):\n    ```\n    \"Read Details\",\"<img src=x onerror=alert(123)>\"\n    \"Mark as Read\",\"<script>alert(123)</script>\"\n    ```\n2. Flush Cache. Make sure locale is set to en_US.\n3. Add any admin notification (e.g. via test.php)\n     ```\n    <?php\n    require 'app/Mage.php';\n    Mage::app('admin');\n    Mage::getModel('adminnotification/inbox')->setData([\n        'severity'  => Mage_AdminNotification_Model_Inbox::SEVERITY_NOTICE,\n        'date_added' => now(),\n        'title' => 'XSS renderer test',\n        'description' => 'Testing actions renderer',\n        'url' => 'https://example.com', // makes the \"Read Details\" link appear\n        'is_read' => 0, // makes the \"Mark as Read\" link appear\n        'is_remove' => 0,\n    ])->save();\n    ```\n4. Open Admin → System → Notifications → Inbox.\n5. Profit.\n\n### Impact\nThe vulnerability is only exploitable by an attacker with administrative or translation privileges. Malicious JavaScript may be executed in a victim’s browser when they browse to the admin page containing the vulnerable fields.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64174","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09658","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64174"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/9d604f5489851c54a96fca31b0e13c414b0fb20a","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T21:19:51Z/"}],"url":"https://github.com/OpenMage/magento-lts/commit/9d604f5489851c54a96fca31b0e13c414b0fb20a"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-qv78-c8hc-438r","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T21:19:51Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-qv78-c8hc-438r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64174","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64174"},{"reference_url":"https://github.com/advisories/GHSA-qv78-c8hc-438r","reference_id":"GHSA-qv78-c8hc-438r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qv78-c8hc-438r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/65129?format=json","purl":"pkg:composer/openmage/magento-lts@20.16.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-u5e2-hr8w-vbc3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.16.0"}],"aliases":["CVE-2025-64174","GHSA-qv78-c8hc-438r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tz1g-dasb-yydg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/20240?format=json","vulnerability_id":"VCID-u5e2-hr8w-vbc3","summary":"Magento's X-Original-Url header can expose admin url\n### Impact\n\nThe admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations.\n\n### Patches\n\nThe bug comes from the Zend library and is patche by unsetting the header in the bootstrap process.\n\n### Workarounds\n\nUnset the `X-Original-Url` header in the web server configuration.\n\n### References\n\nThe activation of these headers is coming from the Zend_Controller module. It appears this has been known to some degree since 2016 -\nhttps://peterocallaghan.co.uk/2016/12/magento-poisoning-cache/ (dead link now..)\n\n### Credit\n\nAnees Hyder ( @anees0xdev ) via HackerOne\nhttps://hackerone.com/anees0x_dev/hacktivity","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25523","reference_id":"","reference_type":"","scores":[{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01171","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25523"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jg68-vhv3-9r8f","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:34:33Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jg68-vhv3-9r8f"},{"reference_url":"https://hackerone.com/bugs?subject=openmage&report_id=3416312","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:34:33Z/"}],"url":"https://hackerone.com/bugs?subject=openmage&report_id=3416312"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25523","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25523"},{"reference_url":"https://github.com/advisories/GHSA-jg68-vhv3-9r8f","reference_id":"GHSA-jg68-vhv3-9r8f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jg68-vhv3-9r8f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/921706?format=json","purl":"pkg:composer/openmage/magento-lts@21.0.0-beta1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@21.0.0-beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/55729?format=json","purl":"pkg:composer/openmage/magento-lts@20.16.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.16.1"}],"aliases":["CVE-2026-25523","GHSA-jg68-vhv3-9r8f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u5e2-hr8w-vbc3"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@19.5.0"}