CVE-2025-64174

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-64174

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-64174.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-64174

Aliases

GHSA-qv78-c8hc-438r

Published

2025-11-06T20:45:55Z

Modified

2025-11-11T02:56:06.247403Z

Severity

4.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

OpenMage is vulnerable to XSS in Admin Notifications

Details

Magento-lts is a long-term support alternative to Magento Community Edition (CE). Versions 20.15.0 and below are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Unescaped translation strings and URLs are printed into contexts inside app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php. A malicious translation or polluted data can inject script. This issue is fixed in version 20.16.0.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/openmage/magento-lts

Affected ranges

Type: GIT
Repo: https://github.com/openmage/magento-lts
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9d604f5489851c54a96fca31b0e13c414b0fb20a

Affected versions

1.*

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.2.0

1.2.0.1

1.2.0.2

1.2.0.3

1.2.1

1.2.1.1

1.2.1.2

1.3.0

1.3.1

1.3.1.1

1.3.2

1.3.2.1

1.3.2.2

1.3.2.3

1.3.2.4

1.4.0.0

1.4.0.0-alpha1

1.4.0.0-alpha2

1.4.0.0-alpha3

1.4.0.0-beta1

1.4.0.0-rc1

1.4.0.1

1.4.1.0

1.4.1.1

1.4.2.0

1.5.0.0

1.5.0.0-alpha1

1.5.0.0-alpha2

1.5.0.0-beta1

1.5.0.0-beta2

1.5.0.0-rc1

1.5.0.0-rc2

1.5.0.1

1.5.1.0

1.6.0.0

1.6.0.0-alpha1

1.6.0.0-beta1

1.6.0.0-rc1

1.6.0.0-rc2

1.6.1.0

1.6.1.0-alpha1

1.6.1.0-beta1

1.6.1.0-rc1

1.7.0.0

1.7.0.0-alpha1

1.7.0.0-beta1

1.7.0.0-rc1

1.7.0.1

1.7.0.2

1.8.1.0

1.9.0.0

1.9.0.1

1.9.1.0-lts

1.9.1.1

1.9.2.3

1.9.3.0

1.9.3.1

v19.*

v19.4.0

v19.4.1

v19.4.10

v19.4.11

v19.4.12

v19.4.13

v19.4.14

v19.4.15

v19.4.16

v19.4.17

v19.4.2

v19.4.3

v19.4.4

v19.4.5

v19.4.6

v19.4.7

v19.4.8

v19.4.9

v20.*

v20.0.0

v20.0.1

v20.0.10

v20.0.11

v20.0.12

v20.0.13

v20.0.14

v20.0.15

v20.0.16

v20.0.17

v20.0.18

v20.0.2

v20.0.3

v20.0.4

v20.0.5

v20.0.6

v20.0.7

v20.0.8

v20.1.0

v20.1.0-rc1

v20.1.0-rc2

v20.1.0-rc3

v20.1.0-rc4

v20.1.0-rc5

v20.1.0-rc6

v20.1.0-rc7

v20.1.1

v20.10.0

v20.10.1

v20.11.0

v20.12.0

v20.12.1

v20.12.2

v20.13.0

v20.14.0

v20.15.0

v20.2.0

v20.3.0

v20.4.0

v20.5.0

v20.6.0

v20.7.0

v20.8.0

v20.9.0

v21.*

v21.0.0-beta2