OpenMage is vulnerable to XSS in Admin Notifications
Description
Magento-lts is a long-term support alternative to Magento Community Edition (CE). Versions 20.15.0 and below are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Unescaped translation strings and URLs are printed into contexts inside app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php. A malicious translation or polluted data can inject script. This issue is fixed in version 20.16.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in OpenMage Magento-lts admin notifications via unescaped translations and URLs, fixed in 20.16.0.
Vulnerability
Magento-lts versions 20.15.0 and earlier are affected by a stored cross-site scripting (XSS) vulnerability in the admin notification grid renderer. The issue exists in app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php, where translation strings and URLs are printed without escaping, allowing injection of malicious scripts [1], [4].
Exploitation
An attacker with administrative access to the database or control over the admin notification feed can inject malicious JavaScript via translation strings (e.g., locale CSV files) or by polluting URL fields. The injected script is executed in the browser of any admin viewing the notifications page. A proof-of-concept demonstrates injecting payloads into translation strings like "Read Details" or "Mark as Read" [4].
Impact
Successful exploitation leads to arbitrary JavaScript execution in the context of the admin panel, potentially allowing session hijacking, credential theft, or other malicious actions. The vulnerability requires admin-level privileges to exploit, limiting its attack surface [1], [4].
Mitigation
The vulnerability is patched in version 20.16.0. The fix applies escapeHtml() and escapeUrl() to translation outputs and URL rendering, as shown in the commit [2]. Users are advised to upgrade to the latest version or apply the patch manually.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openmage/magento-ltsPackagist | < 20.16.0 | 20.16.0 |
Affected products
1- OpenMage/magento-ltsv5Range: < 20.16.0
Patches
12 files changed · +14 −9
app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php+12 −7 modified@@ -21,28 +21,33 @@ class Mage_Adminhtml_Block_Notification_Grid_Renderer_Actions extends Mage_Admin */ public function render(Varien_Object $row) { - $readDetailsHtml = ($row->getUrl()) - ? '<a target="_blank" href="' . $row->getUrl() . '">' . - Mage::helper('adminnotification')->__('Read Details') . '</a> | ' + $escapedRowUrl = $this->escapeUrl($row->getUrl()); + $readDetailsHtml = ($escapedRowUrl) + ? '<a target="_blank" href="' . $escapedRowUrl . '">' . + $this->escapeHtml(Mage::helper('adminnotification')->__('Read Details')) . '</a> | ' : ''; $markAsReadHtml = (!$row->getIsRead()) ? '<a href="' . $this->getUrl('*/*/markAsRead/', ['_current' => true, 'id' => $row->getId()]) . '">' . - Mage::helper('adminnotification')->__('Mark as Read') . '</a> | ' + $this->escapeHtml(Mage::helper('adminnotification')->__('Mark as Read')) . '</a> | ' : ''; + $deleteConfirmHtml = sprintf("deleteConfirm('%s', this.href)", + Mage::helper('core')->jsQuoteEscape(Mage::helper('adminnotification')->__('Are you sure?')), + ); + /** @var Mage_Core_Helper_Url $helper */ $helper = $this->helper('core/url'); return sprintf( - '%s%s<a href="%s" onClick="deleteConfirm(\'%s\', this.href); return false;">%s</a>', + '%s%s<a href="%s" onClick="%s; return false;">%s</a>', $readDetailsHtml, $markAsReadHtml, $this->getUrl('*/*/remove/', [ '_current' => true, 'id' => $row->getId(), Mage_Core_Controller_Front_Action::PARAM_NAME_URL_ENCODED => $helper->getEncodedUrl()]), - Mage::helper('adminnotification')->__('Are you sure?'), - Mage::helper('adminnotification')->__('Remove'), + $deleteConfirmHtml, + $this->escapeHtml(Mage::helper('adminnotification')->__('Remove')), ); } }
app/design/adminhtml/default/default/template/widget/grid/massaction.phtml+2 −2 modified@@ -38,13 +38,13 @@ <?php foreach($this->getGroupedItems() as $key => $group): ?> <?php if ($key === 'default'): ?> <?php foreach($group as $_item): ?> - <option value="<?php echo $_item->getId() ?>"<?php echo ($_item->getSelected() ? ' selected="selected"' : '')?>><?php echo $_item->getLabel() ?></option> + <option value="<?php echo $_item->getId() ?>"<?php echo ($_item->getSelected() ? ' selected="selected"' : '')?>><?php echo $this->escapeHtml($_item->getLabel()) ?></option> <?php endforeach ?> <?php elseif ($key === 'grouped'): ?> <?php foreach($group as $label => $_massGroup): ?> <optgroup label="<?php echo $this->quoteEscape($label); ?>"> <?php foreach($_massGroup as $_item): ?> - <option value="<?php echo $_item->getId() ?>"<?php echo ($_item->getSelected() ? ' selected="selected"' : '')?>><?php echo $_item->getLabel() ?></option> + <option value="<?php echo $_item->getId() ?>"<?php echo ($_item->getSelected() ? ' selected="selected"' : '')?>><?php echo $this->escapeHtml($_item->getLabel()) ?></option> <?php endforeach ?> </optgroup> <?php endforeach ?>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-qv78-c8hc-438rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64174ghsaADVISORY
- github.com/OpenMage/magento-lts/commit/9d604f5489851c54a96fca31b0e13c414b0fb20aghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/security/advisories/GHSA-qv78-c8hc-438rghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.