#VU8713 Stored Cross-site scripting in Magento Open Source and Adobe Commerce (formerly Magento Commerce)
Vulnerability identifier: #VU8713
Vulnerability risk: Low
CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-352
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Magento Open Source
Web applications /
E-Commerce systems
Adobe Commerce (formerly Magento Commerce)
Web applications /
E-Commerce systems
Vendor: Magento, Inc
Description
The vulnerability allows a remote attacker to perform XSS attack.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via Group Name parameter (code). A remote authenticated attacker can permanently inject and execute arbitrary HTML code in victims browser. The exploit code will be present on several pages when the customer group is shown (on viewing individual orders, individual customers, etc).
This vulnerability can be exploited in chain with CSRF vulnerability, described in this advisory.
Mitigation
Update to version 1.9.3.6, 1.14.3.6, 2.0.16 or 2.1.9.
Vulnerable software versions
Magento Open Source: 1.9.0.0 - 1.9.3.5
Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 1.14.3.5, 2.0.0 - 2.0.15, 2.1.0 - 2.1.8
External links
http://www.defensecode.com/advisories/DC-2017-09-001_Magento_CSRF_Stored_Cross_Site_Scripting.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
