CVE-2025-24416
Published: 11 February 2025
Summary
CVE-2025-24416 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Commerce. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked in the top 19.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier contain a stored cross-site scripting vulnerability tracked as CVE-2025-24416. The flaw, assigned CWE-79, resides in form fields that fail to properly sanitize input, allowing malicious scripts to persist and execute when other users view the affected pages. It carries a CVSS 3.1 score of 8.7 reflecting network attack vector, low complexity, and low-privileged access requirements with changed scope.
A low-privileged attacker can inject JavaScript payloads into the vulnerable fields. When an authenticated victim browses to the page, the script runs in their browser context, enabling the attacker to hijack the session and obtain high confidentiality and integrity impact while availability remains unaffected.
The Adobe security advisory at https://helpx.adobe.com/security/products/magento/apsb25-08.html addresses remediation steps for the listed Magento and Adobe Commerce releases. The associated EPSS score has remained flat at 0.0132 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3697
Vulnerability details
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed…
more
in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables direct execution of attacker-controlled JavaScript in the victim's browser context (T1059.007) and facilitates browser session hijacking for session takeover (T1185).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validating inputs to vulnerable form fields, directly preventing injection of malicious JavaScript in this stored XSS vulnerability.
SI-15 mandates filtering and encoding of outputs from vulnerable form fields, preventing execution of injected scripts in victims' browsers.
SI-2 ensures timely remediation by applying available patches for the specific flaw in Adobe Commerce versions affected by this CVE.