CVE-2025-24414
Published: 11 February 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-24414 is a stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. Published on 2025-02-11, it carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N). The issue stems from inadequate sanitization, allowing malicious scripts to be injected into vulnerable form fields.
A low-privileged attacker can exploit this vulnerability by injecting malicious JavaScript into the affected form fields. When a victim user browses to the page containing the injected content, the script executes in their browser context. This can enable session takeover, resulting in high confidentiality and integrity impacts.
Adobe's security bulletin APSB25-08 provides details on mitigation, available at https://helpx.adobe.com/security/products/magento/apsb25-08.html.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS enables injection of malicious JavaScript that executes in victim browsers, directly facilitating browser session hijacking and takeover as described.