Stored XSS in Adobe Commerce (formerly Magento Commerce) - #VU8477
Published: September 15, 2017
Vulnerability identifier: #VU8477
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Adobe
Affected software:
Adobe Commerce (formerly Magento Commerce)
Adobe Commerce (formerly Magento Commerce)
Detailed vulnerability description
The vulnerability allows a remote authenticated administrator to perform XSS attacks.
The vulnerability exists due to insufficient input sanitization when processing product thumbnails. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.
The vulnerability exists due to insufficient input sanitization when processing product thumbnails. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.
Remediation
Update to version 2.0.16 or 2.1.9.