Moderate severityNVD Advisory· Published Jul 29, 2024· Updated Aug 2, 2024
Magento LTS vulnerable to stored Cross-site Scripting (XSS) in admin system configs
CVE-2024-41676
Description
Magento-lts is a long-term support alternative to Magento Community Edition (CE). This XSS vulnerability affects the design/header/welcome, design/header/logo_src, design/header/logo_src_small, and design/header/logo_alt system configs.They are intended to enable admins to set a text in the two cases, and to define an image url for the other two cases. But because of previously missing escaping allowed to input arbitrary html and as a consequence also arbitrary JavaScript. The problem is patched with Version 20.10.1 or higher.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openmage/magento-ltsPackagist | < 20.10.1 | 20.10.1 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-5vrp-638w-p8m2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-41676ghsaADVISORY
- github.com/OpenMage/magento-lts/commit/484cf8afc550e98bbf2c03fbb29a8450a32e7948ghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/security/advisories/GHSA-5vrp-638w-p8m2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.