CVE-2025-47110 Overview
CVE-2025-47110 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Commerce, Adobe Commerce B2B, and Magento Open Source platforms. This vulnerability allows a high-privileged attacker to inject malicious scripts into vulnerable form fields within the application's administrative interface. When other privileged users browse to pages containing the injected malicious content, the JavaScript executes within their browser context, potentially leading to session hijacking, credential theft, and unauthorized administrative actions.
The vulnerability has a changed scope, meaning successful exploitation can impact other high-privileged accounts beyond the initial attack target, resulting in significant confidentiality, integrity, and availability concerns across the affected e-commerce platform.
Critical Impact
High-privileged attackers can inject persistent malicious JavaScript that executes in other administrators' browsers, potentially compromising entire e-commerce operations and customer data.
Affected Products
- Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier
- Adobe Commerce B2B versions 1.5.2, 1.4.2-p5, 1.3.5-p10, 1.3.4-p12, 1.3.3-p13 and earlier
- Magento Open Source versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12 and earlier
Discovery Timeline
- June 10, 2025 - CVE-2025-47110 published to NVD
- July 15, 2025 - Last updated in NVD database
Technical Details for CVE-2025-47110
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) resides in form fields within Adobe Commerce's administrative backend. Unlike reflected XSS attacks that require a victim to click a malicious link, stored XSS persists the malicious payload in the application's database. This makes the attack more dangerous as the payload executes automatically whenever an authenticated administrator views the affected page.
The attack requires high privileges to initially inject the malicious content, which provides some barrier to exploitation. However, once injected, the malicious script executes with the permissions of any administrator who views the compromised page. The scope change characteristic means the vulnerability can affect resources beyond the immediate security context, potentially allowing an attacker with limited administrative access to escalate their privileges to those of a super administrator.
Root Cause
The vulnerability stems from insufficient input validation and output encoding in specific form fields within the Adobe Commerce administrative interface. When user-supplied data is stored in the database without proper sanitization and later rendered in HTML pages without adequate output encoding, it creates conditions for stored XSS attacks. The affected form fields fail to properly neutralize potentially malicious script content before it is persisted and subsequently displayed to other users.
Attack Vector
The attack is network-based and requires the attacker to have high-privileged access to the Adobe Commerce administrative panel. The exploitation sequence involves:
- An attacker with administrative access navigates to a vulnerable form field within the Commerce admin interface
- The attacker injects malicious JavaScript code into the vulnerable field (e.g., product descriptions, CMS content, or configuration fields)
- The malicious payload is stored in the application database
- When another administrator views the page containing the malicious content, the JavaScript executes in their browser
- The executed script can steal session cookies, perform actions as the victim user, or exfiltrate sensitive data
The attack requires user interaction in that a victim must navigate to the compromised page, but no additional clicks or actions are needed for the payload to execute.
Detection Methods for CVE-2025-47110
Indicators of Compromise
- Unexpected JavaScript code or HTML tags in database fields that typically store plain text or structured content
- Unusual administrative activity patterns, such as bulk modifications to product descriptions or CMS pages
- Session anomalies where administrator sessions are accessed from unexpected IP addresses or geographic locations
- Browser console errors or unexpected script execution warnings in admin panel pages
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and report inline script execution attempts in the administrative interface
- Deploy web application firewall (WAF) rules to monitor for XSS payload patterns in form submissions to admin endpoints
- Enable comprehensive audit logging for all administrative content modifications, particularly in CMS and product catalog areas
- Use SentinelOne's application security monitoring to detect anomalous JavaScript execution patterns in browser contexts
Monitoring Recommendations
- Monitor database content for suspicious script tags, event handlers, and JavaScript URIs using regular expression patterns
- Review administrative access logs for accounts making bulk content modifications outside normal business patterns
- Implement real-time alerting for session cookie access or exfiltration attempts from admin pages
- Configure browser-based telemetry to detect and report unexpected script sources or inline code execution
How to Mitigate CVE-2025-47110
Immediate Actions Required
- Update Adobe Commerce to the latest patched version as specified in Adobe Security Bulletin APSB25-50
- Audit all administrative user accounts and remove unnecessary high-privileged access
- Review recent content modifications in CMS pages, product descriptions, and configuration fields for suspicious code
- Implement or strengthen Content Security Policy headers to prevent inline script execution
Patch Information
Adobe has released security updates addressing this vulnerability. Organizations should apply the patches detailed in the Adobe Magento Security Update (APSB25-50). The following versions contain the fix:
- Adobe Commerce 2.4.8-p1 and later
- Adobe Commerce 2.4.7-p6 and later
- Adobe Commerce 2.4.6-p11 and later
- Adobe Commerce 2.4.5-p13 and later
- Adobe Commerce 2.4.4-p14 and later
- Corresponding patched versions for Magento Open Source and Commerce B2B
Workarounds
- Implement strict Content Security Policy headers that disable inline JavaScript execution and restrict script sources to trusted domains
- Review and restrict administrative access to only essential personnel, following the principle of least privilege
- Deploy a Web Application Firewall (WAF) with XSS detection rules to filter malicious input before it reaches the application
- Enable HttpOnly and Secure flags on session cookies to reduce the impact of potential script execution
# Example CSP header configuration for Apache
Header set Content-Security-Policy "default-src 'self'; script-src 'self' https://trusted-cdn.example.com; object-src 'none'; base-uri 'self';"
# Enable HttpOnly and Secure flags for cookies in PHP configuration
# Add to php.ini or .htaccess
php_value session.cookie_httponly 1
php_value session.cookie_secure 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
