CVE-2024-41676Cross-site Scripting in Magento-lts

CWE-79Cross-site Scripting4 documents4 sources
Severity
4.8MEDIUMNVD
CNA4.1
EPSS
0.7%
top 28.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Openmage Magento-ltsOpenmage Magento
Timeline
PublishedJul 29

Description

Magento-lts is a long-term support alternative to Magento Community Edition (CE). This XSS vulnerability affects the design/header/welcome, design/header/logo_src, design/header/logo_src_small, and design/header/logo_alt system configs.They are intended to enable admins to set a text in the two cases, and to define an image url for the other two cases. But because of previously missing escaping allowed to input arbitrary html and as a consequence also arbitrary JavaScript. The problem is patched

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages3 packages

NVDopenmage/magento< 20.10.1
CVEListV5openmage/magento-lts< 20.10.1
Packagistopenmage/magento-lts< 20.10.1

🔴Vulnerability Details

3
OSV
Magento LTS vulnerable to stored Cross-site Scripting (XSS) in admin system configs2024-07-29
GHSA
Magento LTS vulnerable to stored Cross-site Scripting (XSS) in admin system configs2024-07-29
CVEList
Magento LTS vulnerable to stored Cross-site Scripting (XSS) in admin system configs2024-07-29
CVE-2024-41676 — Cross-site Scripting in Magento-lts | cvebase