CVE-2025-24413
Published: 11 February 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-24413 is a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. Published on 2025-02-11, it carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its network accessibility, low complexity, and potential for significant confidentiality and integrity impacts.
A low-privileged attacker can exploit the vulnerability by injecting malicious scripts into vulnerable form fields. When a victim browses to the page containing the injected content, the malicious JavaScript executes in their browser, enabling session takeover and escalating the confidentiality and integrity impacts to high.
Adobe's security advisory APSB25-08 details the issue and mitigation steps, available at https://helpx.adobe.com/security/products/magento/apsb25-08.html.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS directly enables injection and execution of attacker-controlled JavaScript in the victim's browser, facilitating session takeover as described in the CVE.