Cross-Site Scripting Vulnerability in Magento Long Term Support Admin Panel
CVE-2025-27400

2.9LOW

Key Information:

Vendor

Openmage

Status
Magento-lts
Vendor
CVE Published:
28 February 2025

What is CVE-2025-27400?

The Magento Long Term Support platform, which serves as a community-driven alternative to Magento Community Edition, has a cross-site scripting vulnerability present in versions prior to 20.12.3 and 20.13.1. This flaw allows an authenticated admin user to execute scripts within the admin panel. Although exploitation requires administrative access, making it less concerning in practical terms, it nonetheless poses a risk if compromised. Users are advised to upgrade to the patched versions to mitigate this security issue. For more information, consult the security advisory on GitHub.

Affected Version(s)

magento-lts < 20.12.3

References

https://github.com/OpenMage/magento-lts/security/advisori...
x_refsource_CONFIRM
https://github.com/OpenMage/magento-lts/commit/d307e5bf75...
x_refsource_MISC
https://github.com/OpenMage/magento-lts/releases/tag/v20....
x_refsource_MISC

CVSS V3.1

Score:
2.9
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.