CVE-2024-41676

Name of the Vulnerable Software and Affected Versions Magento-lts versions prior to 20.10.1

Description This issue affects the design/header/welcome, design/header/logo src, design/header/logo src small, and design/header/logo alt system configs, which are intended to enable admins to set a text or define an image URL. Due to previously missing escaping, it allowed input of arbitrary HTML and, as a consequence, arbitrary JavaScript. This could be an issue in scenarios where users work with more restrictive roles in the backend, potentially leading to unintended privilege escalation.

Recommendations For versions prior to 20.10.1, upgrade to Version 20.10.1 or higher to patch the issue. As a temporary workaround, consider restricting access to the System Configs. Check templates where these settings are used to apply proper HTML filtering. For users relying on the ability to use HTML in these settings, restore the previous behavior by using the new introduced ->getUnescapedValue() method on escaped elements, and review the newly introduced Mage Core Model Security HtmlEscapedString.