Magento contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the email parameter upon submission to the app/code/core/Mage/Adminhtml/controllers/IndexController.php script from a request to the admin/index/forgotpassword/ page. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

• Security Tracker: 1021746
• CVE ID: 2009-0541 (see also: NVD)
• Bugtraq ID: 33872
• Secunia Advisory ID: 34000
• ISS X-Force ID: 48876 48877 48878
• Related OSVDB ID: 54081 54083 54084
• Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2009-02/0257.html

• Loukas Kalenderidis - infosenseofsecurity.com - Sense of Security