GHSA-x8jv-q8j2-487cMedium
Magento LTS: Reflected XSS - Import -> Data Flow (profiles)
🔗 CVE IDs covered (1)
📋 Description
A reflected XSS vulnerability was found under admin panel -> System -> Import/Export -> Dataflow - Profiles.
Steps to produce
-
Login to the admin panel
-
Go to the path
System -> Import/Export -> Dataflow - Profiles -
Select profile direction as
Import. -
Click on
Import Customers -
Upload the file.
File Link: customer_20260212_204335.csv
-
Go back to
Run profile. -
Select the uploaded file and Click on
Run in Popup. -
One can see a URL like this
https://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/import-20260215151125-1_customer_20260212_204335.csv/
-
One can see the filename getting reflection in HTML tags.
-
Inject an HTML tag and observe.
https://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/"><h3>hacked</h3>/
-
One can see the tag is getting executed.
-
Proceed for XSS.
https://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/%3CScRiPt%20%3Eprompt(document.cookie)%3C%2FScRiPt%3E
- There is an XSS popup.
Impact
Cookie stealing, JS deface, many more
🎯 Affected products1
- composer/openmage/magento-lts:<= 20.17.0