VYPR
← All advisories
Low severity2.9OSV Advisory· Published Feb 28, 2025· Updated Apr 15, 2026

CVE-2025-27400

CVE-2025-27400

Description

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Versions prior to 20.12.3 and 20.13.0 contain a vulnerability that allows script execution in the admin panel which could lead to cross-site scripting against authenticated admin users. The attack requires an admin user with configuration access, so in practicality it is not very likely to be useful given that a user with this level of access is probably already a full admin. Versions 20.12.3 and 20.13.0 contain a patch for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Magento LTS prior to 20.12.3/20.13.0 allows stored XSS via malformed skin URLs in admin panel, requiring admin configuration access.

Vulnerability

Overview

CVE-2025-27400 is a stored cross-site scripting (XSS) vulnerability in the OpenMage Magento Long Term Support (LTS) project, an unofficial community-driven fork of Magento Community Edition. The root cause is insufficient sanitization of skin URLs in the admin panel. Specifically, the getSkinBaseUrl() method did not escape the _area, _package, and _theme parameters before constructing the URL, allowing an attacker to inject arbitrary HTML or JavaScript into the skin URL path [1][3]. The patch adds htmlspecialchars() encoding and a validate-no-html-tags validation rule to the skin configuration field [3].

Exploitation

Prerequisites

Exploitation requires an authenticated admin user with configuration access (e.g., the ability to modify design settings). The attacker must set a malformed skin URL containing malicious script code. Because the vulnerability is stored, the injected payload would be executed when other admin users load pages that reference the crafted skin URL [1][2]. The attack surface is limited to the admin panel, and the attacker already needs elevated privileges, reducing the practical likelihood of exploitation.

Impact

If successfully exploited, an attacker could execute arbitrary JavaScript in the context of another admin user's session. This could lead to session hijacking, defacement, or further privilege escalation within the admin panel. However, the CVSS v3 base score of 2.9 (Low) reflects the high privilege requirement and the limited scope of impact [2].

Mitigation

The vulnerability is fixed in OpenMage Magento LTS versions 20.12.3 and 20.13.0 [1][4]. Users running earlier versions should upgrade immediately. No workarounds are documented, but restricting admin configuration access to trusted users can reduce risk.

References
  1. Release v20.13.0 🌈 · OpenMage/magento-lts
  2. NVD - CVE-2025-27400
  3. Sanitize skin urls that could be used for XSS (#4654) · OpenMage/magento-lts@d307e5b
  4. Release v20.12.3 · OpenMage/magento-lts

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
openmage/magento-ltsPackagist
< 20.12.320.12.3

Affected products

3

Patches

3
4c2ef21b973d
https://github.com/OpenMage/magento-ltsvia osv
commit
cd7bf930736a
https://github.com/OpenMage/magento-ltsvia osv
commit
d307e5bf7572

Sanitize skin urls that could be used for XSS (#4654)

https://github.com/OpenMage/magento-ltsColin MollenhourFeb 26, 2025via ghsa
commit
4 files changed · +11 5
  • app/code/core/Mage/Core/etc/system.xml+1 0 modified
    @@ -332,6 +332,7 @@
                         </template_ua_regexp>
                         <skin translate="label">
                             <label>Skin (Images / CSS)</label>
+                            <validate>validate-no-html-tags</validate>
                             <sort_order>30</sort_order>
                             <show_in_default>1</show_in_default>
                             <show_in_website>1</show_in_website>
  • app/code/core/Mage/Core/Model/Design/Package.php+6 3 modified
    @@ -359,8 +359,10 @@ public function getSkinBaseUrl(array $params = [])
     {
         $params['_type'] = 'skin';
         $this->updateParamDefaults($params);
-        return Mage::getBaseUrl('skin', isset($params['_secure']) ? (bool) $params['_secure'] : null)
-            . $params['_area'] . '/' . $params['_package'] . '/' . $params['_theme'] . '/';
+        $urlPath = $params['_area'] . '/' . $params['_package'] . '/' . $params['_theme'] . '/';
+        // Prevent XSS through malformed configuration
+        $urlPath = htmlspecialchars($urlPath, ENT_HTML5 | ENT_QUOTES, 'UTF-8');
+        return Mage::getBaseUrl('skin', isset($params['_secure']) ? (bool) $params['_secure'] : null) . $urlPath;
     }
 
     /**
@@ -524,7 +526,8 @@ public function getSkinUrl($file = null, array $params = [])
         }
         $this->updateParamDefaults($params);
         if (!empty($file)) {
-            $result = $this->_fallback(
+            // This updates $params with the base package and default theme if the file is not found
+            $this->_fallback(
                 $file,
                 $params,
                 $this->_fallback->getFallbackScheme(
  • app/design/adminhtml/default/default/template/oauth/authorize/head-simple.phtml+1 1 modified
    @@ -30,7 +30,7 @@
     var BLANK_URL = '<?php echo $this->getJsUrl() ?>blank.html';
     var BLANK_IMG = '<?php echo $this->getJsUrl() ?>spacer.gif';
     var BASE_URL = '<?php echo $this->getUrl('*') ?>';
-    var SKIN_URL = '<?php echo $this->jsQuoteEscape($this->getSkinUrl()) ?>';
+    var SKIN_URL = '<?php echo $this->getSkinUrl() ?>';
     var FORM_KEY = '<?php echo $this->getFormKey() ?>';
 //]]>
 </script>
  • app/design/adminhtml/default/default/template/page/head.phtml+3 1 modified
    @@ -21,13 +21,15 @@
 <link rel="icon" href="<?php echo $this->getSkinUrl('favicon.ico') ?>" type="image/x-icon"/>
 
 <script type="text/javascript">
+//<![CDATA[
     var BLANK_URL = '<?php echo $this->getJsUrl() ?>blank.html';
     var BLANK_IMG = '<?php echo $this->getJsUrl() ?>spacer.gif';
     var BASE_URL = '<?php echo $this->getUrl('*') ?>';
-    var SKIN_URL = '<?php echo $this->jsQuoteEscape($this->getSkinUrl()) ?>';
+    var SKIN_URL = '<?php echo $this->getSkinUrl() ?>';
     var FORM_KEY = '<?php echo $this->getFormKey() ?>';
     <?php # BC: cast to INT in case of non-existing method getLoadingTimeout() in 3rd-party code?>
     var LOADING_TIMEOUT = <?php echo (int)$this->getLoadingTimeout() ?>;
+//]]>
 </script>
 
 <?php echo $this->getCssJsHtml() ?>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.