CVE-2024-41676: 
PHP vulnerability analysis and mitigation

A stored XSS (Cross-Site Scripting) vulnerability was discovered in Magento-lts, a long-term support alternative to Magento Community Edition (CE). The vulnerability affects multiple system configuration fields including design/header/welcome, design/header/logosrc, design/header/logosrcsmall, and design/header/logoalt. The issue was disclosed on July 29, 2024, and has been assigned CVE-2024-41676 (GitHub Advisory, NVD).

The vulnerability stems from insufficient input validation in system configuration fields that are intended to allow administrators to set text and image URLs. Due to missing escaping functionality, these fields allowed arbitrary HTML input and consequently arbitrary JavaScript execution. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while GitHub assigned a score of 4.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N (NVD).

While the vulnerability's impact is considered moderate, it is particularly relevant in scenarios where users work with restrictive roles in the backend. In such cases, the ability to inject JavaScript through these settings represents an unintended privilege escalation. The vulnerability could allow attackers to execute arbitrary JavaScript code in the context of other administrative users (GitHub Advisory).

The vulnerability has been patched in version 20.10.1 of Magento-lts. For users unable to upgrade immediately, suggested workarounds include restricting access to the System Configs and checking templates where these settings are used to apply proper HTML filtering. For users who rely on HTML functionality in these fields, the new version introduces a getUnescapedValue() method to maintain backward compatibility (GitHub Advisory).