4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-45127

GHSA ID

GHSA-c89g-gq5r-2xw2

EPSS Score

0.53684%

CWE

CWE-79

Published

10/10/2024

Updated

10/11/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-45127

CVE-2024-45127: Magento Open Source stored Cross-Site Scripting (XSS) vulnerability

Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-45127

GHSA ID

GHSA-c89g-gq5r-2xw2

EPSS Score

0.53684%

CWE

CWE-79

Published

10/10/2024

Updated

10/11/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/community-edition	composer	>= 2.4.7-beta1, < 2.4.7-p3	2.4.7-p3
magento/community-edition	composer	>= 2.4.6-p1, < 2.4.6-p8	2.4.6-p8
magento/community-edition	composer	>= 2.4.5-p1, < 2.4.5-p10	2.4.5-p10
magento/community-edition	composer	< 2.4.4-p11	2.4.4-p11
magento/community-edition	composer	= 2.4.7
magento/community-edition	composer	= 2.4.6
magento/community-edition	composer	= 2.4.5
magento/community-edition	composer	= 2.4.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability involves stored XSS in admin-controlled form fields. Key areas include:

Template rendering mechanisms (like fetchView) that may omit proper escaping of user-controlled data in frontend templates.
UI component form processing that fails to sanitize admin input before storage. These are common XSS vectors in Magento's architecture. Confidence is medium due to lack of direct patch details, but aligns with Magento's typical XSS patterns (CWE-79).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M***nto Op*n Sour** v*rsions *.*.*-p*, *.*.*-p*, *.*.*-p*, *.*.*-p** *n* **rli*r *r* *****t** *y * stor** *ross-Sit* S*riptin* (XSS) vuln*r**ility t**t *oul* ** **us** *y *n **min *tt**k*r to inj**t m*li*ious s*ripts into vuln*r**l* *orm *i*l*s. M*li

Reasoning

T** vuln*r**ility involv*s stor** XSS in **min-*ontroll** *orm *i*l*s. K*y *r**s in*lu**: *. T*mpl*t* r*n**rin* m****nisms (lik* **t**Vi*w) t**t m*y omit prop*r *s**pin* o* us*r-*ontroll** **t* in *ront*n* t*mpl*t*s. *. UI *ompon*nt *orm pro**ssin* t

4.8

Basic Information

Concerned about an active attack path?

CVE-2024-45127: Magento Open Source stored Cross-Site Scripting (XSS) vulnerability

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI