CVE-2025-27400: 
PHP vulnerability analysis and mitigation

Magento Long Term Support (LTS), an unofficial community-driven project providing an alternative to the Magento Community Edition e-commerce platform, was found to contain a cross-site scripting vulnerability. The issue affects versions prior to 20.12.3 and 20.13.1, and was discovered on February 28, 2025 (NVD, GitHub Advisory).

The vulnerability allows script execution in the admin panel through the Design > Themes > Skin (Images / CSS) configuration field. The issue specifically occurs when the field contains an end script tag, enabling stored cross-site scripting (XSS) attacks against authenticated admin users. The vulnerability has been assigned a CVSS v3.1 base score of 2.9 (Low) with vector string CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L (GitHub Advisory).

A malicious user with administrative configuration access could potentially execute arbitrary JavaScript code in the context of other authenticated admin users' browsers. While the impact is limited due to the high privileges required to exploit the vulnerability, it could theoretically be used to impersonate other administrative users (GitHub Advisory).

The vulnerability has been patched in versions 20.12.3 and 20.13.1. Users are advised to upgrade to these or later versions to address the security issue. The fix involves properly sanitizing skin URLs that could be used for XSS (GitHub Release).