GHSA-gp6m-fq6h-cjcx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gp6m-fq6h-cjcx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-gp6m-fq6h-cjcx/GHSA-gp6m-fq6h-cjcx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-gp6m-fq6h-cjcx
- Published
- 2024-02-27T21:47:58Z
- Modified
- 2024-11-30T05:27:42.302302Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Magento LTS vulnerable to stored XSS in admin file form
- Details
-
Summary
OpenMage is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.
Details
Mage_Adminhtml_Block_System_Config_Form_Field_Filedoes not escape filename value in certain situations. Same as: https://nvd.nist.gov/vuln/detail/CVE-2024-20717PoC
- Create empty file with this filename:
<img src=x onerror=alert(1)>.crt - Go to System > Configuration > Sales | Payment Methonds.
- Click Configure on PayPal Express Checkout.
- Choose API Certificate from dropdown API Authentication Methods.
- Choose the XSS-file and click Save Config.
- Profit, alerts "1" -> XSS.
- Reload, alerts "1" -> Stored XSS.
Impact
Affects admins that have access to any fileupload field in admin in core or custom implementations. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
- Create empty file with this filename:
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-02-27T21:47:58Z" }- References
Affected packages
Packagist / openmage/magento-lts
Package
- Name
- openmage/magento-lts
- Purl
- pkg:composer/openmage/magento-lts
Affected versions
v20.*
v20.0.0
v20.0.1
v20.0.2
v20.0.3
v20.0.4
v20.0.5
v20.0.6
v20.0.7
v20.0.8
v20.0.10
v20.0.11
v20.0.12
v20.0.13
v20.0.14
v20.0.15
v20.0.16
v20.0.17
v20.0.18
v20.0.19
v20.0.20
v20.1.0-rc1
v20.1.0-rc2
v20.1.0-rc3
v20.1.0-rc4
v20.1.0-rc5
v20.1.0-rc6
v20.1.0-rc7
v20.1.0
v20.1.1
v20.2.0
v20.3.0
v20.4.0
Packagist / openmage/magento-lts
Package
- Name
- openmage/magento-lts
- Purl
- pkg:composer/openmage/magento-lts
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed19.5.3
Affected versions
1.*
1.9.1.1
1.9.2.0
1.9.2.1
1.9.2.2
1.9.2.3
1.9.2.4
1.9.3.0
1.9.3.1
v19.*
v19.4.0
v19.4.1
v19.4.2
v19.4.3
v19.4.4
v19.4.5
v19.4.6
v19.4.7
v19.4.8
v19.4.9
v19.4.10
v19.4.11
v19.4.12
v19.4.13
v19.4.14
v19.4.15
v19.4.16
v19.4.17
v19.4.18
v19.4.19
v19.4.20
v19.4.21
v19.4.22
v19.4.23
v19.5.0-rc1
v19.5.0-rc2
v19.5.0-rc3
v19.5.0-rc4
v19.5.0-rc5
v19.5.0
v19.5.1
v19.5.2