CVE-2025-64174

Name of the Vulnerable Software and Affected Versions Magento-lts versions 20.15.0 and below OpenMage versions 20.15.0 and earlier

Description Magento-lts and OpenMage are affected by a stored Cross-Site Scripting (XSS) issue. An administrator with direct database access or access to the admin notification feed source could exploit this to inject malicious scripts into vulnerable fields. The issue stems from unescaped translation strings and URLs within app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php. A malicious translation or compromised data can lead to script injection. The vulnerability allows for the execution of malicious JavaScript in a victim’s browser when they access the page containing the vulnerable field. The vulnerable code uses the () function without proper escaping for link labels and the deleteConfirm() function embeds messages without escaping.

Recommendations Versions 20.15.0 and below: Upgrade to version 20.16.0 or later to resolve this issue. Versions 20.15.0 and earlier: Upgrade to version 20.16.0 or later to resolve this issue.