Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
Description
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce, including Magento Open Source, is vulnerable to a stored XSS flaw (CVE-2025-24415) that allows low-privileged attackers to inject malicious scripts into form fields, enabling session hijacking.
Vulnerability
Details
CVE-2025-24415 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier [1]. The root cause lies in insufficient sanitization of user-supplied input within form fields, allowing an attacker to inject arbitrary JavaScript code that is stored on the server and later served to other users [1][2].
Attack
Vector
An attacker must have low-privileged access to the Adobe Commerce instance (e.g., a merchant or customer account with basic permissions) to craft and submit malicious payloads via vulnerable input fields [1]. No special network position is required beyond standard HTTP access. The attack does not require user interaction beyond browsing to the affected page, which triggers the stored JavaScript in the victim's browser [1].
Impact
Successful exploitation leads to execution of attacker-controlled JavaScript in the context of the victim's session. This allows the attacker to steal session cookies or tokens, resulting in session takeover [1]. According to the advisory, this compromises both confidentiality and integrity with high severity, as an attacker could impersonate the victim and perform unauthorized actions [1].
Mitigation
Adobe has released security patches for the affected versions: 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and the beta channel. Users are advised to update to the latest patched versions, as there are no practical workarounds. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog as of publication.
- NVD - CVE-2025-24415
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p4 | 2.4.7-p4 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p9 | 2.4.6-p9 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p11 | 2.4.5-p11 |
magento/community-editionPackagist | < 2.4.4-p12 | 2.4.4-p12 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <=2.4.8-beta1, <=2.4.7-p3, <=2.4.6-p8, <=2.4.5-p10, <=2.4.4-p11
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p4+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p4
- (no CPE)range: <= 2.0.2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-gc27-rvvm-q77rghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-08.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-24415ghsaADVISORY
News mentions
0No linked articles in our index yet.