CVE-2025-24415
Published: 11 February 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-24415 is a stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. The flaw allows malicious scripts to be injected into vulnerable form fields, with a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high confidentiality and integrity impacts.
A low-privileged attacker can exploit this vulnerability by injecting malicious JavaScript into the affected form fields. When a victim browses to the page containing the injected content, the script executes in their browser, potentially enabling session takeover and compromising sensitive data or account control.
Adobe has published security bulletin APSB25-08, available at https://helpx.adobe.com/security/products/magento/apsb25-08.html, which provides details on mitigation, including recommended patches for the affected versions. Security practitioners should review the advisory for upgrade instructions and apply fixes promptly to vulnerable instances.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS enables injection of JS that executes in victims' browsers on page visit, directly facilitating drive-by compromise (T1189) and browser session hijacking for takeover (T1185).