How severe is GHSA-gp6m-fq6h-cjcx?

GHSA-gp6m-fq6h-cjcx has a CVSS score of 5.4/10, rated MEDIUM. Review your exposure and patch according to your risk tolerance.

Which packages are affected by GHSA-gp6m-fq6h-cjcx?

GHSA-gp6m-fq6h-cjcx affects the following packages: openmage/magento-lts (Packagist), openmage/magento-lts (Packagist). Ecosystems affected: Packagist.

How do I fix GHSA-gp6m-fq6h-cjcx?

Update openmage/magento-lts to 20.5.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-gp6m-fq6h-cjcx is resolved across your whole dependency graph.

How do I detect GHSA-gp6m-fq6h-cjcx in my Packagist dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for openmage/magento-lts. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-gp6m-fq6h-cjcx if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-gp6m-fq6h-cjcx?

O3 pinpoints whether GHSA-gp6m-fq6h-cjcx is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-gp6m-fq6h-cjcx actively exploited in the wild?

No public exploit code has been indexed for GHSA-gp6m-fq6h-cjcx yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-gp6m-fq6h-cjcx published, and has it been updated?

GHSA-gp6m-fq6h-cjcx was published on February 27, 2024 and was last updated on November 30, 2024. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐘 Packagist

GHSA-gp6m-fq6h-cjcx

MEDIUM

Magento LTS vulnerable to stored XSS in admin file form

Published

Feb 27, 2024

Updated

Nov 30, 2024

Affected

2 pkgs

Patched

2 / 2

Exploits

None indexed

Blast Radius

2 pkgs affected

🐘openmage/magento-lts🐘openmage/magento-lts

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

Summary

OpenMage is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.

Details

Mage_Adminhtml_Block_System_Config_Form_Field_File does not escape filename value in certain situations. Same as: https://nvd.nist.gov/vuln/detail/CVE-2024-20717

PoC

Create empty file with this filename: <img src=x onerror=alert(1)>.crt
Go to System > Configuration > Sales | Payment Methonds.
Click Configure on PayPal Express Checkout.
Choose API Certificate from dropdown API Authentication Methods.
Choose the XSS-file and click Save Config.
Profit, alerts "1" -> XSS.
Reload, alerts "1" -> Stored XSS.

Impact

Affects admins that have access to any fileupload field in admin in core or custom implementations. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Affected Packages

2 total 2 fixed

Ecosystem	Package	Vulnerable range	Fix
🐘Packagist	`openmage/magento-lts`	≥ 20.0.0&&< 20.5.0	20.5.0
🐘Packagist	`openmage/magento-lts`	all versions	19.5.3

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for openmage/magento-lts. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update openmage/magento-lts to 20.5.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-gp6m-fq6h-cjcx is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-gp6m-fq6h-cjcx is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-gp6m-fq6h-cjcx. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary OpenMage is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. ### Details `Mage_Adminhtml_Block_System_Config_Form_Field_File` does not escape filename value in certain situations. Same as: https://nvd.nist.gov/vuln/detail/CVE-2024-20717 ### PoC 1. Create empty file with this filename: `<img src=x onerror=alert(1)>.crt` 2. Go to _System_ > _Configuration_ > _Sales | Payment Methonds_. 3. Click **Configure** on _PayPal Express Checkout_. 4. Choose **API Certificat

O3 Security · Impact-Aware SCA

Is GHSA-gp6m-fq6h-cjcx in your dependencies?

O3 detects GHSA-gp6m-fq6h-cjcx across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works