CVE-2025-24416
Published: 11 February 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-24416 is a stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. The flaw allows injection of malicious scripts into vulnerable form fields, with a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N). It was published on 2025-02-11.
A low-privileged attacker can exploit this vulnerability by injecting malicious JavaScript into affected form fields. When a victim browses to the page containing the injected content, the script executes in their browser, potentially enabling session takeover and compromising confidentiality and integrity with high impact.
Adobe's security advisory at https://helpx.adobe.com/security/products/magento/apsb25-08.html provides details on mitigation and available patches for the affected versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS enables direct execution of attacker-controlled JavaScript in the victim's browser context (T1059.007) and facilitates browser session hijacking for session takeover (T1185).