Stored XSS in Adobe Commerce (formerly Magento Commerce) - #VU8480
Published: September 15, 2017
Vulnerability identifier: #VU8480
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Adobe
Affected software:
Adobe Commerce (formerly Magento Commerce)
Adobe Commerce (formerly Magento Commerce)
Detailed vulnerability description
The vulnerability allows a remote authenticated administrator to perform XSS attacks.
The vulnerability exists due to insufficient input sanitization when processing order view through the order code label. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.
The vulnerability exists due to insufficient input sanitization when processing order view through the order code label. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.
Remediation
Update to version 2.0.16 or 2.1.9.