CVE-2025-64174
published 2025-11-06CVE-2025-64174: Magento-lts is a long-term support alternative to Magento Community Edition (CE). Versions 20.15.0 and below are affected by a stored Cross-Site Scripting…
PriorityP422medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.19%
9.1th percentile
Magento-lts is a long-term support alternative to Magento Community Edition (CE). Versions 20.15.0 and below are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Unescaped translation strings and URLs are printed into contexts inside app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php. A malicious translation or polluted data can inject script. This issue is fixed in version 20.16.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openmage | magento | < 20.16.0 | 20.16.0 |
| openmage | magento-lts | < 20.16.0 | 20.16.0 |
| openmage | magento-lts | >= 0 < 20.16.0 | 20.16.0 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv4.04.6MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
OpenMage vulnerable to XSS in Admin Notifications
osv·2025-11-03
CVE-2025-64174 [MEDIUM] OpenMage vulnerable to XSS in Admin Notifications
OpenMage vulnerable to XSS in Admin Notifications
### Summary
OpenMage versions v20.15.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
### Details
Unescaped translation strings and URLs are printed into contexts inside `app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php`. A malicious translation or polluted data can inject script.
- Link labels use __() without escaping.
- ’deleteConfirm()’ embeds a message without escaping.
### PoC
1. Add XSS to admin locale (e.g.
GHSA
OpenMage vulnerable to XSS in Admin Notifications
ghsa·2025-11-03
CVE-2025-64174 [MEDIUM] CWE-79 OpenMage vulnerable to XSS in Admin Notifications
OpenMage vulnerable to XSS in Admin Notifications
### Summary
OpenMage versions v20.15.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
### Details
Unescaped translation strings and URLs are printed into contexts inside `app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php`. A malicious translation or polluted data can inject script.
- Link labels use __() without escaping.
- ’deleteConfirm()’ embeds a message without escaping.
### PoC
1. Add XSS to admin locale (e.g.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-06
Published