Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
Description
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce stored XSS allows low-privileged attackers to inject malicious scripts into form fields, leading to session takeover.
Vulnerability
Overview
CVE-2025-24438 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. The flaw resides in vulnerable form fields where a low-privileged attacker can inject malicious JavaScript that persists on the server. When an administrator or other user views the page containing the injected script, the browser executes it [1].
Exploitation
Prerequisites
An attacker must have a low-privileged account (e.g., a merchant or content contributor) to access the vulnerable form fields. No additional authentication bypass is required; the attacker simply submits crafted input that is not properly sanitized. The stored script then triggers automatically when any victim navigates to the affected page [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser session. This can be leveraged to steal session cookies, perform actions on behalf of the victim, and ultimately achieve session takeover. Adobe rates the confidentiality and integrity impact as high due to the potential for full administrative control [1].
Mitigation
Adobe has released security patches for the affected versions. Users should upgrade to the latest patched versions (2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, or later) as recommended in the official advisory. No workarounds are documented; applying the patch is the only reliable mitigation [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p4 | 2.4.7-p4 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p9 | 2.4.6-p9 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p11 | 2.4.5-p11 |
magento/community-editionPackagist | < 2.4.4-p12 | 2.4.4-p12 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <= 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p4+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p4
- (no CPE)range: <= 2.0.2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-8884-7rm9-mrx4ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-08.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-24438ghsaADVISORY
News mentions
0No linked articles in our index yet.