CVE-2024-41676: Magento LTS vulnerable to stored Cross-site Scripting (XSS) in admin system configs

This XSS vulnerability is about the system configs

• design/header/welcome
• design/header/logo_src
• design/header/logo_src_small
• design/header/logo_alt

They are intended to enable admins to set a text in the two cases, and to define an image url for the other two cases. But because of previously missing escaping allowed to input arbitrary html and as a consequence also arbitrary JavaScript.

While this is in most usage scenarios not a relevant issue, some people work with more restrictive roles in the backend. Here the ability to inject JavaScript with these settings would be an unintended and unwanted privilege.