GHSA-5pxh-89cx-4668
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5pxh-89cx-4668
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-5pxh-89cx-4668/GHSA-5pxh-89cx-4668.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-5pxh-89cx-4668
- Aliases
- Published
- 2025-03-03T19:47:12Z
- Modified
- 2025-03-03T20:15:11.584476Z
- Severity
-
- 2.9 (Low) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L CVSS Calculator
- Summary
- Magento LTS vulnerable to stored XSS in theme config fields
- Details
-
As reported by Aakash Adhikari, Github: @justlife4x4, the Design > Themes > Skin (Images / CSS) config field allows a Stored XSS when it contains an end script tag.
Impact
A malicious user with access to this configuration field could use a Stored XSS to affect other authenticated admin users in the admin panel.
The attack requires an admin user with configuration access, so in practice, it is not very likely to be used for gaining elevated privileges, although it could theoretically be used to impersonate other users.
- Database specific
{ "github_reviewed_at": "2025-03-03T19:47:12Z", "severity": "LOW", "nvd_published_at": "2025-02-28T16:15:40Z", "github_reviewed": true, "cwe_ids": [ "CWE-79" ] }- References
-
- https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5pxh-89cx-4668
- https://nvd.nist.gov/vuln/detail/CVE-2025-27400
- https://github.com/OpenMage/magento-lts/commit/d307e5bf75729a2347dde0952fe9fd9fcd9c6aea
- https://github.com/OpenMage/magento-lts
- https://github.com/OpenMage/magento-lts/releases/tag/v20.12.3
- https://github.com/OpenMage/magento-lts/releases/tag/v20.13.0
Affected packages
Packagist / openmage/magento-lts
Package
- Name
- openmage/magento-lts
- Purl
- pkg:composer/openmage/magento-lts
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed20.12.3
Affected versions
1.*
1.9.1.1
1.9.2.0
1.9.2.1
1.9.2.2
1.9.2.3
1.9.2.4
1.9.3.0
1.9.3.1
v19.*
v19.4.0
v19.4.1
v19.4.2
v19.4.3
v19.4.4
v19.4.5
v19.4.6
v19.4.7
v19.4.8
v19.4.9
v19.4.10
v19.4.11
v19.4.12
v19.4.13
v19.4.14
v19.4.15
v19.4.16
v19.4.17
v19.4.18
v19.4.19
v19.4.20
v19.4.21
v19.4.22
v19.4.23
v19.5.0-rc1
v19.5.0-rc2
v19.5.0-rc3
v19.5.0-rc4
v19.5.0-rc5
v19.5.0
v19.5.1
v19.5.2
v19.5.3
v20.*
v20.0.0
v20.0.1
v20.0.2
v20.0.3
v20.0.4
v20.0.5
v20.0.6
v20.0.7
v20.0.8
v20.0.10
v20.0.11
v20.0.12
v20.0.13
v20.0.14
v20.0.15
v20.0.16
v20.0.17
v20.0.18
v20.0.19
v20.0.20
v20.1.0-rc1
v20.1.0-rc2
v20.1.0-rc3
v20.1.0-rc4
v20.1.0-rc5
v20.1.0-rc6
v20.1.0-rc7
v20.1.0
v20.1.1
v20.2.0
v20.3.0
v20.4.0
v20.5.0
v20.6.0
v20.7.0
v20.8.0
v20.9.0
v20.10.0
v20.10.1
v20.10.2
v20.11.0
v20.12.0
v20.12.1
v20.12.2