N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-64174

GHSA ID

GHSA-qv78-c8hc-438r

EPSS Score

CWE

CWE-79

Published

11/3/2025

Updated

11/3/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64174

CVE-2025-64174: OpenMage vulnerable to XSS in Admin Notifications

Summary

OpenMage versions v20.15.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Details

Unescaped translation strings and URLs are printed into contexts inside app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php. A malicious translation or polluted data can inject script.

Link labels use __() without escaping.
’deleteConfirm()’ embeds a message without escaping.

PoC

Add XSS to admin locale (e.g. app/locale/en_US/local.csv):

"Read Details","<img src=x onerror=alert(123)>"
"Mark as Read","<script>alert(123)</script>"

Flush Cache. Make sure locale is set to en_US.

Add any admin notification (e.g. via test.php)

<?php
require 'app/Mage.php';
Mage::app('admin');
Mage::getModel('adminnotification/inbox')->setData([
   'severity'  => Mage_AdminNotification_Model_Inbox::SEVERITY_NOTICE,
   'date_added' => now(),
   'title' => 'XSS renderer test',
   'description' => 'Testing actions renderer',
   'url' => 'https://example.com', // makes the "Read Details" link appear
   'is_read' => 0, // makes the "Mark as Read" link appear
   'is_remove' => 0,
])->save();

Open Admin → System → Notifications → Inbox.
Profit.

Impact

The vulnerability is only exploitable by an attacker with administrative or translation privileges. Malicious JavaScript may be executed in a victim’s browser when they browse to the admin page containing the vulnerable fields.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-64174

GHSA ID

GHSA-qv78-c8hc-438r

EPSS Score

CWE

CWE-79

Published

11/3/2025

Updated

11/3/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
openmage/magento-lts	composer	< 20.16.0	20.16.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists because user-controllable data (translation strings) is rendered directly into an HTML page without proper sanitization or escaping. The analysis of the patch commit 9d604f5489851c54a96fca31b0e13c414b0fb20a confirms this root cause. The primary file changed is app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php, which contains the render method. Before the patch, this method directly concatenated the output of Mage::helper('adminnotification')->__('...') into an HTML string. The __() function is for translation and does not perform escaping, making it a classic vector for stored XSS if the translation source can be manipulated. The patch explicitly adds $this->escapeHtml() and $this->escapeUrl() to the data before it is rendered, which directly mitigates the vulnerability. Therefore, the Mage_Adminhtml_Block_Notification_Grid_Renderer_Actions.render function is the precise location of the vulnerability, as it is the function responsible for generating the unsafe output that leads to XSS.

Vulnerable functions

Mage_Adminhtml_Block_Notification_Grid_Renderer_Actions.render

app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php

The `render` function in `Mage_Adminhtml_Block_Notification_Grid_Renderer_Actions` is vulnerable to stored XSS. It constructs HTML for action links in the admin notifications grid. The function uses the `__()` translation helper to get labels like 'Read Details' and 'Mark as Read'. This helper does not escape output. As demonstrated in the PoC, an attacker with the ability to modify translation files can inject malicious JavaScript into these labels. When an admin views the notification grid, the unescaped, malicious label is rendered as part of the HTML, causing the script to execute in their browser. The patch fixes this by wrapping the output of the `__()` helper and the notification URL with `escapeHtml()` and `escapeUrl()` respectively, thus neutralizing the XSS vector.

WAF Protection Rules

WAF Rule

### Summ*ry Op*nM*** v*rsions v**.**.* *n* **rli*r *r* *****t** *y * stor** *ross-Sit* S*riptin* (XSS) vuln*r**ility t**t *oul* ** **us** *y *n **min wit* *ir**t **t***s* ****ss or t** **min noti*i**tion **** sour** to inj**t m*li*ious s*ripts into v

Reasoning

T** vuln*r**ility *xists ****us* us*r-*ontroll**l* **t* (tr*nsl*tion strin*s) is r*n**r** *ir**tly into *n *TML p*** wit*out prop*r s*nitiz*tion or *s**pin*. T** *n*lysis o* t** p*t** *ommit `****************************************` *on*irms t*is ro

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-64174: OpenMage vulnerable to XSS in Admin Notifications

Summary

Details

PoC

Impact

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI