CVE-2025-24410
Published: 11 February 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-24410 is a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. Published on 2025-02-11, it carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N). The issue stems from insufficient sanitization of inputs in vulnerable form fields, enabling persistent script injection.
A low-privileged attacker with existing access can exploit this by injecting malicious JavaScript into affected form fields. When a victim user browses to the page displaying the tainted content, the script executes in their browser context, potentially enabling session takeover. This escalates impacts to high confidentiality and integrity, as the attacker could steal session cookies or perform actions on behalf of the victim.
Adobe's security bulletin APSB25-08, available at https://helpx.adobe.com/security/products/magento/apsb25-08.html, provides details on mitigation, including recommended patches for affected versions. Security practitioners should prioritize updating to patched releases and reviewing user input handling in custom form implementations.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The stored XSS vulnerability allows a low-privileged attacker to inject persistent malicious JavaScript into form fields. When victims view the tainted content, the script executes in their browser (T1059.007), directly enabling theft of web session cookies for session takeover (T1539).