Description
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting (XSS) in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Exploitation of this issue requires user interaction.
Remediation
References
Related Vulnerabilities
WordPress Plugin bbPress Cross-Site Scripting (2.5.6)
WordPress Plugin iThemes Security (formerly Better WP Security) Cross-Site Scripting (5.6.1)
Coppermine Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-3722)
WordPress Plugin BackWPup Cross-Site Scripting (3.2.3)
WordPress Plugin FoxyPress 'uploadify.php' Arbitrary File Upload (0.4.2.1)