CVE-2025-24416
Published: 11 February 2025
Summary
CVE-2025-24416 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Commerce. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked in the top 20.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validating inputs to vulnerable form fields, directly preventing injection of malicious JavaScript in this stored XSS vulnerability.
SI-15 mandates filtering and encoding of outputs from vulnerable form fields, preventing execution of injected scripts in victims' browsers.
SI-2 ensures timely remediation by applying available patches for the specific flaw in Adobe Commerce versions affected by this CVE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables direct execution of attacker-controlled JavaScript in the victim's browser context (T1059.007) and facilitates browser session hijacking for session takeover (T1185).
NVD Description
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed…
more
in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
Deeper analysisAI
CVE-2025-24416 is a stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. The flaw allows injection of malicious scripts into vulnerable form fields, with a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N). It was published on 2025-02-11.
A low-privileged attacker can exploit this vulnerability by injecting malicious JavaScript into affected form fields. When a victim browses to the page containing the injected content, the script executes in their browser, potentially enabling session takeover and compromising confidentiality and integrity with high impact.
Adobe's security advisory at https://helpx.adobe.com/security/products/magento/apsb25-08.html provides details on mitigation and available patches for the affected versions.
Details
- CWE(s)