CVE-2025-64174
📋 TL;DR
This stored XSS vulnerability in Magento-lts allows attackers with admin database access or control over admin notification feeds to inject malicious scripts into vulnerable fields. Unescaped translation strings and URLs in the notification grid renderer enable script execution when viewed by administrators. Affected users are those running Magento-lts versions 20.15.0 and below.
💻 Affected Systems
- OpenMage Magento-lts
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin database access could inject persistent XSS payloads that execute in admin sessions, potentially leading to full administrative account compromise, data theft, or further server exploitation.
Likely Case
Malicious translation strings or polluted notification data cause script execution in admin panels, potentially stealing session cookies or performing unauthorized admin actions.
If Mitigated
With proper input validation and output encoding, the risk is limited to authenticated admin users viewing malicious content, but still poses credential theft risk.
🎯 Exploit Status
Exploitation requires admin database access or ability to modify notification feed data. The vulnerability is in the admin interface rendering.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20.16.0
Vendor Advisory: https://github.com/OpenMage/magento-lts/security/advisories/GHSA-qv78-c8hc-438r
Restart Required: No
Instructions:
1. Backup your Magento installation and database. 2. Update to Magento-lts version 20.16.0 or later. 3. Clear cache and recompile if necessary. 4. Verify the fix by checking the version.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement additional input validation for translation strings and notification data, and ensure proper output encoding in affected templates.
Manual code review and modification of app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php
🧯 If You Can't Patch
- Restrict database access to admin users only and implement strict access controls.
- Monitor and sanitize admin notification feed sources to prevent malicious data injection.
🔍 How to Verify
Check if Vulnerable:
Check if running Magento-lts version 20.15.0 or below. Review app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php for unescaped output.Check Version:
php -r "include 'app/Mage.php'; echo Mage::getVersion();"Verify Fix Applied:
Verify installation is version 20.16.0 or later. Check that output in notification grid is properly escaped.📡 Detection & Monitoring
Log Indicators:
- Unusual database modifications to translation tables or notification data
- Admin panel access with suspicious payloads in URLs or forms
Network Indicators:
- Unexpected outbound connections from admin sessions
- Suspicious data in notification feed requests
SIEM Query:
source="magento_access_logs" AND (uri="*notification*" OR uri="*admin*" OR uri="*grid*") AND (payload="*script*" OR payload="*javascript:*" OR payload="*onerror=*")