CVE-2009-0541

Name of the Vulnerable Software and Affected Versions Magento versions 1.2.0 through 1.2.1.1

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the username field in an admin request to "index.php", possibly related to the login[username] parameter and the login function in app/code/core/Mage/Admin/Model/Session.php. Another vector is the email address field in an "admin/index/forgotpassword/" request to "index.php", possibly related to the email parameter and the forgotpasswordAction function in app/code/core/Mage/Adminhtml/controllers/IndexController.php. Additionally, the issue can be exploited via the return parameter to the default URI under "downloader/".

Recommendations For Magento versions 1.2.0 through 1.2.1.1, consider disabling the login function in app/code/core/Mage/Admin/Model/Session.php and the forgotpasswordAction function in app/code/core/Mage/Adminhtml/controllers/IndexController.php as a temporary workaround until a patch is available. Restrict access to the "downloader/" URI to minimize the risk of exploitation. Avoid using the login[username] and email parameters in the affected API endpoints until the issue is resolved.