Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
Description
Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Confidentiality and integrity are considered high due to having admin impact.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce is affected by a stored XSS vulnerability that allows high-privileged attackers to inject malicious scripts into form fields, compromising admin confidentiality and integrity.
Vulnerability
Overview CVE-2024-20759 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier. The vulnerability exists in form fields that are accessible to high-privileged users, allowing an attacker to inject malicious scripts that are stored and later executed in the browser of any victim who visits the affected page [1].
Exploitation
Prerequisites Exploitation requires a high-privileged account, such as an administrator, to inject the malicious payload into the vulnerable form fields. The attack does not require user interaction beyond visiting the page containing the injected script, making it a stored/persistent XSS [1].
Impact
Successful exploitation can lead to arbitrary JavaScript execution in the victim's browser, which may result in theft of sensitive session tokens, unauthorized actions performed under the victim's identity, or defacement. The CVSS assessment indicates high impact on both confidentiality and integrity due to the attacker's elevated privileges [1].
Mitigation
Adobe has released patched versions to address this issue. Users are advised to upgrade to Adobe Commerce 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, or later, and avoid using the beta version 2.4.7-beta3 in production. The official source code repository contains the fix for Magento Open Source [2].
- NVD - CVE-2024-20759
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7 | 2.4.7 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p5 | 2.4.6-p5 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p7 | 2.4.5-p7 |
magento/community-editionPackagist | >= 2.4.4-p1, < 2.4.4-p8 | 2.4.4-p8 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- osv-coords3 versionspkg:bitnami/magentopkg:composer/magento/community-editionpkg:composer/magento/project-community-edition
>= 2.4.7-alpha0, < 2.4.7+ 2 more
- (no CPE)range: >= 2.4.7-alpha0, < 2.4.7
- (no CPE)
- (no CPE)range: <= 2.0.2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-59vf-hjxc-f9c5ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb24-18.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-20759ghsaADVISORY
News mentions
0No linked articles in our index yet.