A persistent input validation web vulnerability has been discovered in the official Magento xCommerce web-application. The vulnerability allows remote attackers to inject own script code to the application-side of the affected service module. The vulnerability is located in the filename value of the image upload module. The attacker needs to create a New Message with upload to change the filename to a malicious payload. The attack vector of the issue is located on the application-side and the request method to inject the script code is POST.