Magento LTS vulnerable to stored XSS in theme config fields
As reported by Aakash Adhikari, Github: @justlife4x4, the Design > Themes > Skin (Images / CSS) config field allows a Stored XSS when it contains an end script tag.
Advisories for Composer/Openmage/Magento-Lts package
2025
2024
Magento LTS vulnerable to stored Cross-site Scripting (XSS) in admin system configs
This XSS vulnerability is about the system configs design/header/welcome design/header/logo_src design/header/logo_src_small design/header/logo_alt They are intended to enable admins to set a text in the two cases, and to define an image url for the other two cases. But because of previously missing escaping allowed to input arbitrary html and as a consequence also arbitrary JavaScript. While this is in most usage scenarios not a relevant issue, some people work with …
Magento LTS vulnerable to stored XSS in admin file form
Summary OpenMage is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Details Mage_Adminhtml_Block_System_Config_Form_Field_File does not escape filename value in certain situations. Same as: https://nvd.nist.gov/vuln/detail/CVE-2024-20717 PoC Create empty file with this filename: <img src=x onerror=alert(1)>.crt Go to System > Configuration > Sales | Payment Methonds. Click Configure on PayPal Express Checkout. Choose API Certificate from …
2023
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in openmage/magento-lts.
Improper Neutralization
Improper Neutralization in openmage/magento-lts.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in openmage/magento-lts.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in openmage/magento-lts.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in openmage/magento-lts.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in openmage/magento-lts.
DoS vulnerability in MaliciousCode filter
Impact Infinite loop in malicious code filter in certain conditions. Workarounds None
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) in openmage/magento-lts.
2021
Improper Input Validation
OpenMage magento-lts is an alternative to the Magento CE official releases. Due to missing sanitation in data flow in versions prior to 19.4.15 and 20.0.13, it was possible for admin users to upload arbitrary executable files to the server. OpenMage versions 19.4.15 and 20.0.13 have a patch for this Issue.
XPath Injection
Admin users can execute arbitrary commands via block methods.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Magento-lts is a long-term support alternative to Magento Community Edition (CE). A vulnerability in magento-lts versions before 19.4.13 and 20.0.9 potentially allows an administrator unauthorized access to restricted resources. This is a backport of CVE-2021-21024. The vulnerability is patched in versions 19.4.13 and 20.0.9.
Deserialization of Untrusted Data
Magento-lts is a long-term support alternative to Magento Community Edition (CE). In magento-lts versions 19.4.12 and prior and 20.0.8 and prior, there is a vulnerability caused by the unsecured deserialization of an object. A patch in versions 19.4.13 and 20.0.9 was back ported from Zend Framework 3. The vulnerability was assigned CVE-2021-3007 in Zend Framework.
Unrestricted Upload of File with Dangerous Type
OpenMage is a community-driven alternative to Magento CE. In OpenMage, an administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml.
Path Traversal
OpenMage is a community-driven alternative to Magento CE. The latest OpenMage Versions up from have this Issue solved
Path Traversal
OpenMage is a community-driven alternative to Magento CE. In OpenMage there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server and load it via layout xml.
2020
Deserialization of Untrusted Data
In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4.
Cross-Site Request Forgery (CSRF)
OpenMage LTS before versions 19.4.6 and 20.0.2 allows attackers to circumvent the fromkey protection in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks. This issue is related to Adobe's CVE-2020-9690. It is patched in versions 19.4.6 and 20.0.2.