Magento Product Attributes Cross Site Scripting Vulnerability

ID 1337DAY-ID-29964
Type zdt
Reporter Bosko Stankovic
Modified 2018-03-07T00:00:00


Magento suffers from product attribute information related cross site scripting vulnerabilities. Versions affected include Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, and Magento 2.2 prior to 2.2.3.

                                            Advisory Title: Magento Stored Cross-Site Scripting a Product Attributes
Advisory URL:
Software:       Magento
Version:        Magento 2.0 prior to 2.0.18, Magento 2.1 prior to
                2.1.12, Magento 2.2 prior to 2.2.3
Vendor Status:  Vendor contacted, vulnerability fixed
Release Date:   06/03/2018
Risk:           MEDIUM

1. General Overview
During the security audit of Magento Open Source 2 a stored cross-site
scripting vulnerability was discovered that could lead to administrator
account takeover by a lower privileged administrator, putting the
website customers and their payment information at risk.

2. Software Overview
Magento is an ecommerce platform built on open source technology
which provides online merchants with a flexible shopping cart system,
as well as control over the look, content and functionality of their
online store. Magento offers powerful marketing, search engine
optimization, and catalog-management tools. It is a leading
enterprise-class eCommerce platform, empowering over 200,000
online retailers.


3. Vulnerability Description
During the security analysis of Magento Open Source 2 it was
discovered that there is a stored cross-site scripting vulnerability
present when an attribute value is set to a malicious JavaScript
payload and added to a product. The payload will execute whenever a
product is opened for editing, allowing a lower privileged admin
with access to products and attributes to attack a higher privileged

4. Solution
Vendor fixed the reported security issues and released a new version.
All users are strongly advised to update to the latest available

5. Credits
Discovered by Bosko Stankovic ([email protected]).

6. Disclosure Timeline
22/11/2017   Vendor contacted through Bugcrowd platform
27/11/2017   Vendor responded
28/02/2018   Vulnerability fixed
06/03/2018   Advisory released

# [2018-04-08]  #