Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)

Root

Cause

CVE-2025-54264 is a stored Cross-Site Scripting (XSS) vulnerability in Adobe Commerce (and related Magento Open Source) affecting the listed versions. The issue originates from insufficient sanitization of form fields, allowing a high-privileged attacker to inject arbitrary JavaScript into the application's data store. This is a classic XSS flaw where the injected script is persisted on the server and served to other users [1][2].

Exploitation

The attack requires an authenticated user with high privileges (e.g., an admin or other powerful role) to inject the malicious script into a vulnerable form field. The attacker does not require any interaction from the victim at the moment of injection. However, for the impact to occur, a victim (a different user) must browse to the page that renders the vulnerable field. No additional privileges are needed on the victim's part; simply viewing the infected page triggers the payload in their browser [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser session. This can lead to session hijacking (session takeover), where the attacker can impersonate the victim and perform actions on their behalf, potentially including accessing sensitive data or performing administrative operations. The CVSS score reflects a high impact on confidentiality and integrity, and the scope is changed, meaning the vulnerability can affect resources beyond the original application's boundaries (e.g., the victim's other browser tabs) [1].

Mitigation

Adobe has released security updates that fix this vulnerability in the following versions: Adobe Commerce 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, and later. Users should upgrade to these or newer versions. Adobe also recommends applying general security best practices, such as limiting admin privileges, as a defense-in-depth measure [1][2].