EUVD-2025-17706
GHSA-j934-vjh5-vf9r
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4Description
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Scope is changed to that of other high-privileged accounts, leading to a high impact on confidentiality, integrity, and availability.
Analysis
Adobe Commerce versions 2.4.8 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-47110, CVSS 8.4) in form field validation that allows high-privileged attackers to inject malicious JavaScript into the application. When other high-privileged users view pages containing the injected payload, the malicious script executes in their browser context, potentially compromising confidentiality, integrity, and availability across multiple privileged accounts. The vulnerability requires high privileges to exploit but affects other high-privileged users, making it a significant concern in multi-admin environments.
Technical Context
This is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability exists in Adobe Commerce form field handling, where user-supplied input is not properly sanitized or encoded before being stored in the database and subsequently rendered in HTML context. Adobe Commerce is a PHP-based e-commerce platform that processes and displays form data across administrative and storefront interfaces. The flaw allows attackers with high-privileged administrative access to persist malicious JavaScript payloads in form fields, which are then executed when any user (particularly other high-privileged accounts) views the affected page. This represents a failure in input validation and output encoding mechanisms that should strip or escape potentially dangerous HTML/JavaScript constructs before storage and display.
Affected Products
Adobe Commerce (all editions affected): version 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13, and all earlier versions. CPE identifiers for affected products: cpe:2.3:a:adobe:commerce:2.4.8:*:*:*:*:*:*:*, cpe:2.3:a:adobe:commerce:2.4.7:p5:*:*:*:*:*:*, cpe:2.3:a:adobe:commerce:2.4.6:p10:*:*:*:*:*:*, cpe:2.3:a:adobe:commerce:2.4.5:p12:*:*:*:*:*:*, cpe:2.3:a:adobe:commerce:2.4.4:p13:*:*:*:*:*:*. All versions below 2.4.4-p13 are also affected. Magento Open Source and Adobe Commerce Cloud instances using these versions are in scope.
Remediation
Immediate actions: (1) Upgrade Adobe Commerce to patched versions—upgrade to 2.4.8-p1 or later if on 2.4.8; 2.4.7-p6 or later if on 2.4.7; 2.4.6-p11 or later if on 2.4.6; 2.4.5-p13 or later if on 2.4.5; 2.4.4-p14 or later if on 2.4.4; (2) Consult Adobe's official security bulletin and apply patches from https://experienceleague.adobe.com/en/docs/commerce-operations/release-notes/security-patches; (3) Interim mitigations pending patching: restrict admin user access to essential personnel only, audit admin user accounts for unauthorized access, review admin action logs for suspicious form field modifications, disable or restrict form fields identified as vulnerable if operationally feasible; (4) Web Application Firewall (WAF) rules: implement input filtering to detect and block common XSS payloads in form submissions to vulnerable fields; (5) Content Security Policy (CSP): enforce strict CSP headers to limit inline script execution impact even if payload is rendered.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today