Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
Description
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in Adobe Commerce allows low-privileged attackers to inject malicious scripts, leading to session takeover.
Vulnerability
Overview
CVE-2025-24417 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. The root cause lies in insufficient sanitization of user-supplied input in form fields, allowing an attacker with low privileges to inject arbitrary JavaScript code that is stored on the server and later executed in the browsers of other users [1].
Exploitation
Conditions
An attacker must have a low-privileged account (e.g., a merchant or customer with limited permissions) to access the vulnerable form fields. No additional authentication or network position is required beyond standard web access. The injected script is triggered when a victim (such as an administrator or other user) navigates to the page containing the compromised field, leading to automatic execution of the malicious JavaScript in the victim's browser [1].
Impact
Successful exploitation enables the attacker to perform session takeover, effectively hijacking the victim's authenticated session. This can lead to unauthorized access to sensitive data and administrative functions, resulting in high confidentiality and integrity impact. The attacker could potentially modify store configurations, access customer data, or perform other actions under the victim's identity [1].
Mitigation
Status
As of the publication date (2025-02-11), Adobe has not released a security patch for this vulnerability. Users of the affected versions are advised to apply any available security updates from Adobe as soon as they are released, or to implement workarounds such as input validation and content security policies to reduce risk [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p4 | 2.4.7-p4 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p9 | 2.4.6-p9 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p11 | 2.4.5-p11 |
magento/community-editionPackagist | < 2.4.4-p12 | 2.4.4-p12 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: >=2.4.4-p11, <=2.4.8-beta1
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p4+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p4
- (no CPE)range: <= 2.0.2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-g3j6-9753-8mp2ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-08.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-24417ghsaADVISORY
News mentions
0No linked articles in our index yet.