GHSA-gp6m-fq6h-cjcx: Magento LTS vulnerable to stored XSS in admin file form
Summary
OpenMage is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.
Details
Mage_Adminhtml_Block_System_Config_Form_Field_File
does not escape filename value in certain situations.
Same as: https://nvd.nist.gov/vuln/detail/CVE-2024-20717
PoC
- Create empty file with this filename:
<img src=x onerror=alert(1)>.crt
- Go to System > Configuration > Sales | Payment Methonds.
- Click Configure on PayPal Express Checkout.
- Choose API Certificate from dropdown API Authentication Methods.
- Choose the XSS-file and click Save Config.
- Profit, alerts “1” -> XSS.
- Reload, alerts “1” -> Stored XSS.
Impact
Affects admins that have access to any fileupload field in admin in core or custom implementations. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
References
Detect and mitigate GHSA-gp6m-fq6h-cjcx with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →