Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-24417

CVE-2025-24417: Adobe Commerce Stored XSS Vulnerability

CVE-2025-24417 is a stored XSS vulnerability in Adobe Commerce that allows low-privileged attackers to inject malicious scripts, potentially leading to session takeover. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-24417 Overview

CVE-2025-24417 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] affecting Adobe Commerce, Adobe Commerce B2B, and Magento Open Source. A low-privileged attacker can inject malicious JavaScript into vulnerable form fields. When a victim browses to the page containing the injected payload, the script executes in their browser context. Successful exploitation enables session takeover, leading to high impact on confidentiality and integrity.

Affected releases include Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. Adobe addressed the issue in security advisory APSB25-08.

Critical Impact

A low-privileged attacker can persistently inject JavaScript into stored form fields, hijacking authenticated sessions of administrators or customers who view the affected pages.

Affected Products

  • Adobe Commerce (versions through 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11)
  • Adobe Commerce B2B (versions through 1.5.0, 1.4.2-p3, 1.3.5-p8, 1.3.4-p10, 1.3.3-p11)
  • Magento Open Source (versions through 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11)

Discovery Timeline

  • 2025-02-11 - CVE-2025-24417 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-24417

Vulnerability Analysis

The vulnerability is a stored XSS flaw classified under [CWE-79] (Improper Neutralization of Input During Web Page Generation). Form fields within the affected Adobe Commerce and Magento components accept user-supplied input without adequate sanitization or output encoding. The unsanitized data is persisted in the application backend and later rendered in HTML responses delivered to other users.

When the stored payload contains JavaScript, the browser executes it in the context of the rendering page. Because Adobe Commerce stores sensitive session tokens, customer data, and order information, attackers can leverage script execution to exfiltrate cookies, perform privileged API calls, or pivot to administrative actions.

The EPSS score for this issue is 0.656%, indicating limited but non-trivial likelihood of exploitation activity in the near term.

Root Cause

The root cause is improper neutralization of user-controlled input written into form fields. The application fails to apply context-aware output encoding when rendering stored field values back into HTML pages. Authenticated low-privileged accounts have sufficient access to write payloads into these fields.

Attack Vector

Exploitation is network-based and requires both attacker authentication and victim interaction. The attacker logs in with a low-privileged account, submits a crafted payload into a vulnerable form field, and waits for an administrator or other user to view the page that renders the stored content. The scope changes when the script executes in the victim's authenticated session, enabling session takeover and unauthorized actions on behalf of the victim.

No public proof-of-concept or exploit code has been published for this issue. Refer to the Adobe Security Advisory APSB25-08 for vendor-supplied technical details.

Detection Methods for CVE-2025-24417

Indicators of Compromise

  • HTML or JavaScript tags such as <script>, onerror=, onload=, or javascript: URIs persisted within form-field records in the Magento database.
  • Unexpected outbound HTTP requests from admin browser sessions to attacker-controlled domains, often following an admin viewing a customer or order record.
  • Anomalous session activity from administrator accounts, including API calls or configuration changes that do not correspond to legitimate admin actions.

Detection Strategies

  • Inspect database tables that store user-submitted form data for HTML control characters and script tokens; flag entries containing <, >, script, or event handler attributes.
  • Enable and review web server access logs for repeated POST requests from low-privileged accounts to endpoints that accept form submissions.
  • Monitor admin panel page renders for Content Security Policy (CSP) violations indicating inline script execution.

Monitoring Recommendations

  • Forward Magento application and access logs to a centralized analytics platform for correlation and long-term retention.
  • Alert on creation or modification of customer or B2B records by accounts that historically do not perform such actions.
  • Track outbound network connections from administrator workstations during Magento admin sessions to identify data exfiltration patterns.

How to Mitigate CVE-2025-24417

Immediate Actions Required

  • Apply the security updates listed in Adobe Security Advisory APSB25-08 to all Adobe Commerce, Commerce B2B, and Magento Open Source instances.
  • Audit existing form-field data for previously stored XSS payloads and remove any malicious content before patching.
  • Review and rotate session tokens and administrator credentials if compromise is suspected.

Patch Information

Adobe released fixed versions addressing CVE-2025-24417 as part of bulletin APSB25-08. Upgrade Adobe Commerce and Magento Open Source to the patched versions superseding 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, and 2.4.4-p11. Adobe Commerce B2B customers should upgrade beyond 1.5.0, 1.4.2-p3, 1.3.5-p8, 1.3.4-p10, and 1.3.3-p11.

Workarounds

  • Restrict creation of low-privileged accounts and require admin approval for new B2B users until patches are applied.
  • Deploy a Web Application Firewall (WAF) rule set to block payloads containing <script>, event handlers, and javascript: URIs in POST parameters.
  • Enforce a strict Content Security Policy (CSP) that disallows inline scripts in the Magento admin panel to reduce the impact of stored XSS payloads.
bash
# Example restrictive CSP header for Magento admin responses
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.