Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
Description
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored cross-site scripting (XSS) in Adobe Commerce allows admin attackers to inject malicious scripts into form fields, executing in victims' browsers.
Vulnerability
CVE-2024-45127 is a stored cross-site scripting (XSS) vulnerability affecting Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier. The flaw exists in vulnerable form fields where an authenticated admin attacker can inject malicious scripts that remain stored on the application [1].
Exploitation
An attacker with administrative privileges can exploit this by crafting input data containing JavaScript payloads and submitting it via affected form fields. The stored script then activates when a victim (including other administrators or users) views the page containing that form field, leading to arbitrary JavaScript execution within the victim's browser session [1].
Impact
Once executed, the injected script can perform actions on behalf of the victim, such as manipulating page content, stealing session tokens, or accessing sensitive data within the context of the user's session. This could result in privilege escalation or further compromise of the Adobe Commerce instance [1].
Mitigation
Adobe has released security patches for the affected versions. Administrators should upgrade to Adobe Commerce versions not listed as vulnerable. The official GitHub repository for Magento (now Adobe Commerce) provides source code and instructions for maintaining the software [2]. Users should also consider applying input validation and output encoding best practices as a defense-in-depth measure [1].
- NVD - CVE-2024-45127
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p3 | 2.4.7-p3 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p8 | 2.4.6-p8 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p10 | 2.4.5-p10 |
magento/community-editionPackagist | < 2.4.4-p11 | 2.4.4-p11 |
Affected products
3- osv-coords2 versions
>= 2.4.7-alpha0, < 2.4.7-p3+ 1 more
- (no CPE)range: >= 2.4.7-alpha0, < 2.4.7-p3
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p3
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-c89g-gq5r-2xw2ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb24-73.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-45127ghsaADVISORY
News mentions
0No linked articles in our index yet.