Home > Vulnerability Database > CVE-2024-41676

Mend.io Vulnerability Database

CVE-2024-41676

Good to know:

Date: July 29, 2024

Magento-lts is a long-term support alternative to Magento Community Edition (CE). This XSS vulnerability affects the design/header/welcome, design/header/logo_src, design/header/logo_src_small, and design/header/logo_alt system configs.They are intended to enable admins to set a text in the two cases, and to define an image url for the other two cases. But because of previously missing escaping allowed to input arbitrary html and as a consequence also arbitrary JavaScript. The problem is patched with Version 20.10.1 or higher.

Language: PHP

Severity Score

4.1

Related Resources (5)

Url: https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5vrp-638w-p8m2

Url: https://github.com/OpenMage/magento-lts/commit/484cf8afc550e98bbf2c03fbb29a8450a32e7948

Url: https://github.com/OpenMage/magento-lts

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-41676

Url: https://www.mend.io/vulnerability-database/CVE-2024-41676

Severity Score

4.1

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Top Fix

Upgrade Version

Upgrade to version openmage/magento-lts-v20.10.1

Learn More

CVSS v3.1

Base Score:	4.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-41676

Good to know:

Date: July 29, 2024

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?