Magento LTS vulnerable to stored XSS in admin file form

Summary

OpenMage is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.

Details

Mage_Adminhtml_Block_System_Config_Form_Field_File does not escape filename value in certain situations. Same as: https://nvd.nist.gov/vuln/detail/CVE-2024-20717

PoC

Create empty file with this filename: <img src=x onerror=alert(1)>.crt
Go to System > Configuration > Sales | Payment Methonds.
Click Configure on PayPal Express Checkout.
Choose API Certificate from dropdown API Authentication Methods.
Choose the XSS-file and click Save Config.
Profit, alerts "1" -> XSS.
Reload, alerts "1" -> Stored XSS.

Impact

Affects admins that have access to any fileupload field in admin in core or custom implementations. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Published: Feb 27, 2024
Updated: Feb 28, 2024
GHSA: GHSA-gp6m-fq6h-cjcx
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
openmage / magento-lts	20.0.0	20.5.0
openmage / magento-lts	-	19.5.3

https://github.com/OpenMage/magento-lts/security/advisories/GHSA-gp6m-fq6h-cjcx

Vulnerability Database

290,020

Magento LTS vulnerable to stored XSS in admin file form

Summary

Details

PoC

Impact