CVE-2025-64174: 
PHP Schwachstellenanalyse und -minderung

CVE-2025-64174 is a stored Cross-Site Scripting (XSS) vulnerability affecting OpenMage versions v20.15.0 and earlier. The vulnerability was discovered and disclosed on November 1, 2025, affecting the OpenMage/magento-lts package. The vulnerability exists in the admin notifications system where unescaped translation strings and URLs could be exploited (GitHub Advisory).

The vulnerability stems from unescaped translation strings and URLs being printed into contexts inside app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php. The issue specifically involves link labels using __() without proper escaping and 'deleteConfirm()' embedding messages without escaping. The vulnerability has been assigned a CVSS v4.0 score of 4.6 (Moderate) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N (GitHub Advisory).

The vulnerability allows malicious JavaScript execution in a victim's browser when they browse to the affected admin page. The impact is limited as it requires an attacker to have administrative or translation privileges to exploit. The vulnerability can affect system integrity and confidentiality at a low level (GitHub Advisory).

The vulnerability has been patched in version 20.16.0 of OpenMage/magento-lts. Users should upgrade to this version or later to mitigate the risk (GitHub Advisory).