The cancel-order-modal.phtml template in the Magento_OrderCancellationUi module rendered $block->getOrder()->getRealOrderId() directly into the DOM using the @noEscape annotation, bypassing Magento’s output escaping layer. While the order increment ID is normally a numeric/zero-padded string generated by Magento and not directly user-controllable, any code path or merchant customization that allowed non-standard characters into this field (custom increment ID generators, third-party modules manipulating order data, or database-level tampering by a lower-privileged actor) could result in raw HTML or JavaScript being injected into the cancel-order modal and executed in the context of the authenticated shopper’s session. The fix routes the value through $escaper->escapeHtml(), aligning the template with the escaping pattern already used elsewhere in the same file and in the Magento_Sales order history templates, and eliminating the XSS sink as a defense-in-depth measure.
This vulnerability affects the following application versions:
- Magento 2.4.7
- Magento 2.4.7-p1
- Magento 2.4.7-p2
- Magento 2.4.7-p3
- Magento 2.4.8-beta1