CVE-2025-24412

CVE-2025-24412 is a stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. The flaw resides in vulnerable form fields that fail to properly sanitize user input, enabling the injection of malicious JavaScript. Published on 2025-02-11, it carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), reflecting high severity due to its network accessibility and cross-origin scope.

A low-privileged attacker with access to the platform can exploit this by submitting malicious scripts through affected form fields. When a victim browses to the page containing the injected content, the JavaScript executes in their browser context, potentially enabling session takeover. This escalates impacts on confidentiality and integrity to high levels, as the attacker could steal session cookies, impersonate users, or perform unauthorized actions on their behalf.

Adobe's security bulletin APSB25-08 addresses this issue for Magento (Adobe Commerce), with full details and recommended mitigations available at https://helpx.adobe.com/security/products/magento/apsb25-08.html.