CVE-2025-64174 is a stored Cross-Site Scripting (XSS) vulnerability identified in OpenMage magento-lts, a long-term support fork of Magento Community Edition. The vulnerability affects versions 20.15.0 and below and is caused by improper neutralization of input during web page generation, specifically within the admin notification feed source and translation strings. The vulnerable code resides in app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php, where unescaped translation strings and URLs are rendered directly into the admin interface. An attacker with administrative privileges and direct database access can inject malicious JavaScript payloads into these fields, which are then executed in the context of the admin panel when viewed. This could lead to session hijacking, privilege escalation, or unauthorized administrative actions. The vulnerability requires high privileges (admin with DB access) and user interaction (admin viewing the notification feed). There are no known public exploits in the wild as of the publication date. The issue is resolved in version 20.16.0 by properly escaping output and sanitizing inputs to prevent script injection. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no authentication required beyond admin privileges, and user interaction needed, resulting in a medium severity score of 4.6.

For European organizations, especially those operating e-commerce platforms using OpenMage magento-lts, this vulnerability poses a risk of administrative account compromise and unauthorized control over the Magento backend. Exploitation could allow attackers to execute arbitrary scripts within the admin interface, potentially leading to theft of sensitive data, manipulation of product listings, or disruption of business operations. Given the requirement for admin-level access and direct database manipulation, the threat is primarily insider or post-compromise in nature. However, if an attacker gains initial admin credentials or database access through other means, this vulnerability could be leveraged to maintain persistence or escalate privileges. The impact on confidentiality, integrity, and availability is moderate but significant for organizations relying heavily on Magento-lts for their online sales and customer data management. Disruption or compromise could damage brand reputation and lead to regulatory compliance issues under GDPR if customer data is exposed or manipulated.

The primary mitigation is to upgrade all affected OpenMage magento-lts instances to version 20.16.0 or later, where the vulnerability is fixed. Until upgrade is possible, organizations should restrict administrative database access to trusted personnel only and implement strict access controls and monitoring on admin accounts. Input validation and output encoding should be enforced on all translation strings and notification feed data to prevent injection of malicious scripts. Regularly audit and sanitize translation files and notification data sources to detect and remove any injected payloads. Employ web application firewalls (WAFs) with rules targeting XSS patterns in admin interfaces. Additionally, enable multi-factor authentication (MFA) for admin accounts to reduce the risk of credential compromise. Monitor logs for unusual admin activity or unexpected script execution within the admin panel. Conduct security awareness training for administrators to recognize and report suspicious notifications or behaviors.