Validate Your Inputs | Cross-site Scripting (Stored XSS) (CWE-79) - Customer to Admin stored XSS with Gift wrapping
Description
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Payload is stored in an admin area, resulting in high confidentiality and integrity impact.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce versions prior to 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 contain a stored XSS vulnerability allowing low-privileged attackers to execute malicious scripts in admin browsing sessions.
Vulnerability
Overview CVE-2023-38219 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Commerce versions 2.4.7-beta1 and earlier, 2.4.6-p2 and earlier, 2.4.5-p4 and earlier, and 2.4.4-p5 and earlier. The root cause is insufficient sanitization of user input in certain form fields, allowing an attacker to inject malicious JavaScript that is subsequently stored in the admin area [1].
Exploitation
Prerequisites An attacker must have low-privileged access to the Adobe Commerce instance—such as a restricted admin account—to inject the payload into a vulnerable form field. The malicious script is persisted in the admin area and is executed when a different admin user navigates to the page containing the injected content. No additional user interaction beyond viewing the page is required for the script to execute.
Impact
Successful exploitation leads to execution of arbitrary JavaScript in the victim's browser within the admin console context. This can result in theft of sensitive data, session hijacking, or unauthorized actions performed under the victim's credentials, resulting in high confidentiality and integrity impact as defined by CVSS [1].
Mitigation
Adobe has released security updates to remediate this vulnerability: users should upgrade to Adobe Commerce 2.4.6-p3, 2.4.5-p5, 2.4.4-p6, or any later version. The Magento Open Source project, which shares the same codebase, has also incorporated these fixes in its repositories [2].
- NVD - CVE-2023-38219
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-beta2 | 2.4.7-beta2 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p3 | 2.4.6-p3 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p5 | 2.4.5-p5 |
magento/community-editionPackagist | >= 2.4.4-p1, < 2.4.4-p6 | 2.4.4-p6 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <=4.0-p5
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-beta2+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-beta2
- (no CPE)range: <= 2.0.2
- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-3j7w-jp46-9752ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb23-50.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-38219ghsaADVISORY
News mentions
0No linked articles in our index yet.