Skip to main content

Magento CVE-2025-47110

| EUVDEUVD-2025-17706 HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-06-10 psirt@adobe.com GHSA-j934-vjh5-vf9r
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17706
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
CVE Published
Jun 10, 2025 - 16:15 nvd
HIGH 8.4

DescriptionCVE.org

Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Scope is changed to that of other high-privileged accounts, leading to a high impact on confidentiality, integrity, and availability.

AnalysisAI

Adobe Commerce versions 2.4.8 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-47110, CVSS 8.4) in form field validation that allows high-privileged attackers to inject malicious JavaScript into the application. When other high-privileged users view pages containing the injected payload, the malicious script executes in their browser context, potentially compromising confidentiality, integrity, and availability across multiple privileged accounts. The vulnerability requires high privileges to exploit but affects other high-privileged users, making it a significant concern in multi-admin environments.

Technical ContextAI

This is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability exists in Adobe Commerce form field handling, where user-supplied input is not properly sanitized or encoded before being stored in the database and subsequently rendered in HTML context. Adobe Commerce is a PHP-based e-commerce platform that processes and displays form data across administrative and storefront interfaces. The flaw allows attackers with high-privileged administrative access to persist malicious JavaScript payloads in form fields, which are then executed when any user (particularly other high-privileged accounts) views the affected page. This represents a failure in input validation and output encoding mechanisms that should strip or escape potentially dangerous HTML/JavaScript constructs before storage and display.

RemediationAI

Immediate actions: (1) Upgrade Adobe Commerce to patched versions—upgrade to 2.4.8-p1 or later if on 2.4.8; 2.4.7-p6 or later if on 2.4.7; 2.4.6-p11 or later if on 2.4.6; 2.4.5-p13 or later if on 2.4.5; 2.4.4-p14 or later if on 2.4.4; (2) Consult Adobe's official security bulletin and apply patches from https://experienceleague.adobe.com/en/docs/commerce-operations/release-notes/security-patches; (3) Interim mitigations pending patching: restrict admin user access to essential personnel only, audit admin user accounts for unauthorized access, review admin action logs for suspicious form field modifications, disable or restrict form fields identified as vulnerable if operationally feasible; (4) Web Application Firewall (WAF) rules: implement input filtering to detect and block common XSS payloads in form submissions to vulnerable fields; (5) Content Security Policy (CSP): enforce strict CSP headers to limit inline script execution impact even if payload is rendered.

CVE-2016-4010 CRITICAL POC
9.8 Jan 23

Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary

CVE-2015-1397 MEDIUM POC
6.5 Apr 29

SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Communit

CVE-2024-34102 CRITICAL POC
9.8 Jun 13

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML E

CVE-2015-1398 MEDIUM POC
6.5 Apr 29

Multiple directory traversal vulnerabilities in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.

CVE-2019-7139 CRITICAL POC
9.8 Apr 10

An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which ca

CVE-2020-8818 HIGH POC
8.1 Feb 25

An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Rated high severity (CVSS 8.1), th

CVE-2023-41879 HIGH POC
7.5 Sep 11

Magento LTS is the official OpenMage LTS codebase. Rated high severity (CVSS 7.5), this vulnerability is remotely exploi

CVE-2015-1399 MEDIUM POC
6.5 Apr 29

PHP remote file inclusion vulnerability in the fetchView function in the Mage_Core_Block_Template_Zend class in Magento

CVE-2015-3458 MEDIUM POC
6.5 Apr 29

The fetchView function in the Mage_Core_Block_Template_Zend class in Magento Community Edition (CE) 1.9.1.0 and Enterpri

CVE-2014-9758 MEDIUM POC
6.1 Sep 20

Cross-site scripting (XSS) vulnerability in Magento E-Commerce Platform 1.9.0.1. Rated medium severity (CVSS 6.1), this

CVE-2015-8707 CRITICAL
9.8 Sep 26

Password reset tokens in Magento CE before 1.9.2.2, and Magento EE before 1.14.2.2 are passed via a GET request and not

CVE-2024-45115 CRITICAL
9.8 Oct 10

Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication v

Share

CVE-2025-47110 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy