OpenMage Magento LTS Cross-Site Scripting Vulnerability in Admin Panel

A stored cross-site scripting vulnerability has been identified in OpenMage Magento Long Term Support (LTS) versions prior to 20.12.3 and 20.13.1. The issue arises in the admin panel's Design > Themes > Skin (Images / CSS) configuration field, where an end script tag can be inserted, potentially affecting other authenticated admin users. Exploitation requires an admin user with configuration access, making it less likely to be used for gaining elevated privileges, but it could be used to impersonate other users.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user affected.

Reproduction

To reproduce this vulnerability, an admin user with configuration access can navigate to the Design > Themes > Skin (Images / CSS) config field. By inserting a script tag into this field, the vulnerability can be exploited, as the injected script will be executed when the configuration is accessed by other admin users.

Remediation

Users can upgrade to OpenMage Magento LTS versions 20.12.3 or 20.13.1, both of which include the necessary patch to address this vulnerability.