CVE-2025-24412 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. The vulnerability arises from insufficient sanitization of user input in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is stored on the server and later executed in the browsers of users who access the affected pages. This stored XSS can be exploited to perform session hijacking, enabling attackers to impersonate legitimate users, steal sensitive information, or perform unauthorized actions within the victim's session. The vulnerability requires the attacker to have low privileges and user interaction (victims must visit the maliciously crafted page). The CVSS 3.1 base score is 8.7, reflecting high severity due to network attack vector, low attack complexity, and high impact on confidentiality and integrity, with no impact on availability. The vulnerability affects the confidentiality and integrity of user sessions and data by enabling script execution in trusted contexts. No public exploits have been reported yet, but the potential impact on e-commerce platforms is significant given the widespread use of Adobe Commerce. The vulnerability is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation).

The impact of CVE-2025-24412 is substantial for organizations running affected versions of Adobe Commerce, a widely used e-commerce platform. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of users’ browsers, leading to session hijacking, theft of sensitive customer data, unauthorized transactions, and potential compromise of administrative accounts if administrators are targeted. This undermines customer trust, can lead to financial losses, and damage brand reputation. Given Adobe Commerce’s global adoption, especially among retail and online businesses, the vulnerability poses a risk to the confidentiality and integrity of customer and business data. The attack requires user interaction but can be initiated by low-privileged users, increasing the attack surface. While availability is not directly impacted, the indirect consequences such as fraud and data breaches can have severe operational and regulatory repercussions.

To mitigate CVE-2025-24412, organizations should immediately upgrade to the latest patched versions of Adobe Commerce once available. Until patches are released, implement strict input validation and sanitization on all user-supplied data in form fields to prevent script injection. Employ output encoding techniques to neutralize any malicious scripts before rendering content in browsers. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Limit user privileges to the minimum necessary to reduce the risk from low-privileged attackers. Monitor web application logs for suspicious input patterns indicative of XSS attempts. Educate users and administrators about the risks of clicking untrusted links. Conduct regular security assessments and penetration testing focused on XSS vulnerabilities. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting Adobe Commerce.