#VU8472 Stored XSS in Adobe Commerce (formerly Magento Commerce)
Published: September 15, 2017
Vulnerability identifier: #VU8472
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Adobe Commerce (formerly Magento Commerce)
Adobe Commerce (formerly Magento Commerce)
Software vendor:
Adobe
Adobe
Description
The vulnerability allows a remote authenticated administrator to perform XSS attacks.
The vulnerability exists due to insufficient input sanitization when processing page titles. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.
The vulnerability exists due to insufficient input sanitization when processing page titles. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.
Remediation
Update to version 2.0.16 or 2.1.9.