CVE-2025-24410 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. The flaw allows a low-privileged attacker to inject malicious JavaScript code into vulnerable form fields within the Adobe Commerce platform. When a victim user accesses the affected page, the injected script executes in their browser context, potentially allowing the attacker to hijack user sessions, steal sensitive information, or perform actions on behalf of the user. The vulnerability requires user interaction (visiting the compromised page) and low privileges for exploitation, but no elevated privileges are necessary. The CVSS 3.1 base score of 8.7 indicates a high severity, with network attack vector, low attack complexity, and partial privileges required. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable module, increasing the impact on confidentiality and integrity. Although no known exploits have been reported in the wild, the risk remains significant due to the widespread use of Adobe Commerce in e-commerce environments. The vulnerability highlights the importance of secure input validation and output encoding in web applications to prevent script injection and execution.

If exploited, this vulnerability can lead to session hijacking, allowing attackers to impersonate legitimate users and access sensitive customer data, including personal and payment information. This compromises confidentiality and integrity of user data and can result in unauthorized transactions or data breaches. The availability impact is minimal, but the reputational damage and regulatory consequences for affected organizations can be severe. Given Adobe Commerce's role in e-commerce platforms worldwide, exploitation could disrupt business operations, erode customer trust, and lead to financial losses. Attackers could also use this vulnerability as a foothold for further attacks within the network. The requirement for low privileges and user interaction lowers the barrier for exploitation, increasing the threat level for organizations that have not applied mitigations or patches.

Organizations should monitor Adobe's official channels for patches addressing CVE-2025-24410 and apply them promptly once available. In the interim, implement strict input validation and sanitization on all user-supplied data fields to prevent malicious script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Conduct regular security audits and penetration testing focused on XSS vulnerabilities within the Adobe Commerce environment. Educate users and administrators about the risks of clicking untrusted links or visiting suspicious pages. Consider deploying Web Application Firewalls (WAFs) with rules tailored to detect and block XSS attack patterns. Additionally, review and minimize privileges assigned to users to reduce the attack surface. Logging and monitoring for unusual activities related to session tokens or script injections can aid in early detection of exploitation attempts.