Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-24412

CVE-2025-24412: Adobe Commerce Stored XSS Vulnerability

CVE-2025-24412 is a stored Cross-Site Scripting flaw in Adobe Commerce that enables attackers to inject malicious scripts into form fields, potentially leading to session takeover. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-24412 Overview

CVE-2025-24412 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Commerce, Adobe Commerce B2B, and Magento Open Source. The flaw resides in vulnerable form fields that fail to properly sanitize user-supplied input before persisting and rendering it back to other users. A low-privileged authenticated attacker can inject malicious JavaScript that executes in a victim's browser when the victim views the affected page. Successful exploitation can lead to session takeover, exposing privileged accounts and administrative functions. The vulnerability is classified under CWE-79.

Critical Impact

Attackers can hijack authenticated sessions, including administrator sessions, to steal data and manipulate storefront content on e-commerce platforms.

Affected Products

  • Adobe Commerce 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier
  • Adobe Commerce B2B 1.5.0, 1.4.2-p3, 1.3.5-p8, 1.3.4-p10, 1.3.3-p11 and earlier
  • Magento Open Source 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier

Discovery Timeline

  • 2025-02-11 - CVE-2025-24412 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-24412

Vulnerability Analysis

The vulnerability is a stored XSS issue in Adobe Commerce form-handling logic. User input submitted through certain form fields is persisted to the database and later rendered in HTML responses without sufficient output encoding or sanitization. When a victim navigates to a page that renders the malicious payload, the injected JavaScript executes within the victim's browser session. Because the scope is changed (S:C), the injected script can affect resources beyond the originally vulnerable component, including administrative interfaces. The attacker requires only low-privileged authenticated access to plant the payload.

Root Cause

The root cause is improper neutralization of input during web page generation, classified as [CWE-79]. The affected form fields accept HTML or JavaScript syntax without applying context-aware encoding before storing or echoing the value. Adobe Commerce templating logic renders the stored value into HTML contexts where script tags or event handler attributes are interpreted by the browser.

Attack Vector

An authenticated attacker with a low-privileged account submits a crafted payload through a vulnerable form field on the Adobe Commerce instance. The payload is persisted server-side. When a higher-privileged user, such as a store administrator, visits the page that renders the stored content, the malicious JavaScript executes in that user's browser context. The attacker can exfiltrate session cookies, perform actions on behalf of the victim, or pivot to administrative functions. User interaction is required because the victim must browse to the vulnerable page.

The vulnerability is described in prose only — no verified public proof-of-concept exists at this time. Refer to the Adobe Magento Security Advisory APSB25-08 for vendor-confirmed technical details.

Detection Methods for CVE-2025-24412

Indicators of Compromise

  • Form field submissions containing HTML tags such as <script>, <img>, <svg>, or on* event handler attributes from low-privileged accounts.
  • Unexpected outbound requests from administrator browsers to attacker-controlled domains following a visit to a Commerce admin page.
  • Newly created administrator accounts or privilege changes shortly after an admin views a customer-submitted record.

Detection Strategies

  • Review Adobe Commerce application logs for input containing script-like syntax submitted to customer, address, or product form endpoints.
  • Inspect database fields tied to user-submitted content (e.g., customer attributes, address fields, order comments) for stored HTML or JavaScript payloads.
  • Correlate admin session anomalies (new IP addresses, unusual API calls) with prior storefront submissions from the same customer record.

Monitoring Recommendations

  • Enable Content Security Policy (CSP) report-only mode and forward violation reports to a centralized log store for review.
  • Monitor web application firewall logs for blocked or suspicious payloads targeting Magento endpoints such as /customer/account/, /checkout/, and admin grids.
  • Alert on administrator session token usage from unexpected geolocations or user agents.

How to Mitigate CVE-2025-24412

Immediate Actions Required

  • Apply the Adobe security update referenced in APSB25-08 to all Adobe Commerce, Commerce B2B, and Magento Open Source instances.
  • Audit existing customer-submitted data for stored script payloads and sanitize or purge offending records.
  • Rotate administrator credentials and invalidate active admin sessions after patching to revoke any tokens that may have been captured.

Patch Information

Adobe released fixed versions on February 11, 2025 as part of security bulletin APSB25-08. Upgrade Adobe Commerce and Magento Open Source to versions released after 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, and 2.4.4-p11. Upgrade Adobe Commerce B2B to the corresponding patched releases. Refer to the Adobe Magento Security Advisory for the precise fixed version mapping.

Workarounds

  • Deploy a web application firewall rule to block submissions containing HTML tags or JavaScript event handlers in form fields that should accept plain text.
  • Enforce a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins.
  • Restrict creation of low-privileged customer or B2B user accounts to verified sources until the patch is applied.
bash
# Example restrictive CSP header for Adobe Commerce front-end
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.example.com; object-src 'none'; base-uri 'self'; frame-ancestors 'self'";

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.