VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 29, 2024· Updated Aug 2, 2024

Magento LTS vulnerable to stored Cross-site Scripting (XSS) in admin system configs

CVE-2024-41676

Description

Magento-lts is a long-term support alternative to Magento Community Edition (CE). This XSS vulnerability affects the design/header/welcome, design/header/logo_src, design/header/logo_src_small, and design/header/logo_alt system configs.They are intended to enable admins to set a text in the two cases, and to define an image url for the other two cases. But because of previously missing escaping allowed to input arbitrary html and as a consequence also arbitrary JavaScript. The problem is patched with Version 20.10.1 or higher.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Magento-lts admin system configs allows arbitrary HTML/JavaScript injection due to missing escaping; patched in v20.10.1.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Magento-lts, a long-term support alternative to Magento Community Edition. The bug affects four system configuration fields: design/header/welcome, design/header/logo_src, design/header/logo_src_small, and design/header/logo_alt. These fields are intended to allow administrators to set text or image URLs, but missing escaping allowed arbitrary HTML and JavaScript to be stored and executed [1][4].

Exploitation

Exploitation requires administrative access to the Magento backend. While this may seem limited, organizations that restrict admin roles may grant configuration access to users who should not have full privileges. An attacker with such restricted role access can inject malicious JavaScript into these fields. When the configuration values are rendered in the admin interface (e.g., in page headers or logo tags), the injected script executes in the browser of any administrator viewing those pages [4].

Impact

Successful exploitation allows an attacker with limited backend privileges to execute arbitrary JavaScript in the context of another administrator's session. This could lead to session hijacking, defacement, or further compromise of the Magento instance. The vulnerability is classified as stored XSS because the injected payload persists in the configuration data [4].

Mitigation

The vulnerability is patched in version 20.10.1 or higher. The fix introduces a new class Mage_Core_Model_Security_HtmlEscapedString that properly escapes output in the affected fields [2]. Users who cannot upgrade immediately can mitigate by restricting access to the system configuration section or by manually applying HTML filtering in templates where these settings are used. Users relying on the ability to use HTML can restore the old behavior via the getUnescapedValue() method on the escaped string object [4].

References
  1. NVD - CVE-2024-41676
  2. Merge commit from fork · OpenMage/magento-lts@484cf8a
  3. Stored XSS in admin system configs

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
openmage/magento-ltsPackagist
< 20.10.120.10.1

Affected products

2

Patches

1
484cf8afc550

Merge commit from fork

https://github.com/OpenMage/magento-ltsDaniel FahlkeJul 24, 2024via ghsa
commit
3 files changed · +50 5
  • app/code/core/Mage/Core/Model/Security/HtmlEscapedString.php+35 0 added
    @@ -0,0 +1,35 @@
+<?php
+declare(strict_types=1);
+
+/**
+ *
+ */
+class Mage_Core_Model_Security_HtmlEscapedString implements Stringable
+{
+
+    protected $originalValue;
+    protected $allowedTags;
+
+    /**
+     * @param string $originalValue
+     * @param string[]|null $allowedTags
+     */
+    public function __construct(string $originalValue, ?array $allowedTags = null)
+    {
+        $this->originalValue = $originalValue;
+        $this->allowedTags = $allowedTags;
+    }
+
+    public function __toString(): string
+    {
+        return (string) Mage::helper('core')->escapeHtml(
+            $this->originalValue,
+            $this->allowedTags
+        );
+    }
+
+    public function getUnescapedValue(): string
+    {
+        return $this->originalValue;
+    }
+}
  • app/code/core/Mage/Page/Block/Html/Header.php+12 4 modified
    @@ -57,7 +57,9 @@ public function setLogo($logo_src, $logo_alt)
     public function getLogoSrc()
     {
         if (empty($this->_data['logo_src'])) {
-            $this->_data['logo_src'] = Mage::getStoreConfig('design/header/logo_src');
+            $this->_data['logo_src'] =  new Mage_Core_Model_Security_HtmlEscapedString(
+                (string) Mage::getStoreConfig('design/header/logo_src')
+            );
         }
         return $this->getSkinUrl($this->_data['logo_src']);
     }
@@ -68,7 +70,9 @@ public function getLogoSrc()
     public function getLogoSrcSmall()
     {
         if (empty($this->_data['logo_src_small'])) {
-            $this->_data['logo_src_small'] = Mage::getStoreConfig('design/header/logo_src_small');
+            $this->_data['logo_src_small'] =  new Mage_Core_Model_Security_HtmlEscapedString(
+                (string) Mage::getStoreConfig('design/header/logo_src_small')
+            );
         }
         return $this->getSkinUrl($this->_data['logo_src_small']);
     }
@@ -79,7 +83,9 @@ public function getLogoSrcSmall()
     public function getLogoAlt()
     {
         if (empty($this->_data['logo_alt'])) {
-            $this->_data['logo_alt'] = Mage::getStoreConfig('design/header/logo_alt');
+            $this->_data['logo_alt'] = new Mage_Core_Model_Security_HtmlEscapedString(
+                (string) Mage::getStoreConfig('design/header/logo_alt')
+            );
         }
         return $this->_data['logo_alt'];
     }
@@ -97,7 +103,9 @@ public function getWelcome()
             if (Mage::isInstalled() && Mage::getSingleton('customer/session')->isLoggedIn()) {
                 $this->_data['welcome'] = $this->__('Welcome, %s!', $this->escapeHtml(Mage::getSingleton('customer/session')->getCustomer()->getName()));
             } else {
-                $this->_data['welcome'] = Mage::getStoreConfig('design/header/welcome');
+                $this->_data['welcome'] = new Mage_Core_Model_Security_HtmlEscapedString(
+                    (string) Mage::getStoreConfig('design/header/welcome')
+                );
             }
         }
  • app/code/core/Mage/Page/Block/Html/Welcome.php+3 1 modified
    @@ -44,7 +44,9 @@ protected function _toHtml()
             if (Mage::isInstalled() && $this->_getSession()->isLoggedIn()) {
                 $this->_data['welcome'] = $this->__('Welcome, %s!', $this->escapeHtml($this->_getSession()->getCustomer()->getName()));
             } else {
-                $this->_data['welcome'] = Mage::getStoreConfig('design/header/welcome');
+                $this->_data['welcome'] = new Mage_Core_Model_Security_HtmlEscapedString(
+                    (string) Mage::getStoreConfig('design/header/welcome')
+                );
             }
         }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.