CVE-2025-24417
Published: 11 February 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-24417 is a stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. The issue resides in vulnerable form fields that fail to properly sanitize user input, enabling the injection of malicious JavaScript. Published on 2025-02-11, it carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and changed scope.
A low-privileged attacker with existing access can exploit this vulnerability by injecting malicious scripts into the affected form fields. When a victim user browses to the page containing the injected content, the JavaScript executes in their browser context. This can lead to session takeover, compromising high confidentiality and integrity without impacting availability.
Adobe's security bulletin APSB25-08 details mitigation strategies and available patches: https://helpx.adobe.com/security/products/magento/apsb25-08.html.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS enables injection and execution of malicious JavaScript in victim browser context, directly facilitating browser session hijacking and takeover as described.