CVE-2025-24413 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. This vulnerability arises from insufficient sanitization of user input in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is persistently stored on the server. When other users or administrators visit the affected pages, the malicious script executes within their browser context. This can lead to session hijacking, unauthorized actions, and data theft, compromising both confidentiality and integrity of user sessions. The vulnerability requires the attacker to have low privileges and user interaction (victim browsing the infected page) but does not require administrator privileges or complex attack vectors. The CVSS 3.1 score of 8.7 reflects a network attack vector with low attack complexity, requiring privileges but with user interaction, and impacts confidentiality and integrity at a high level. No public exploits have been reported yet, but the vulnerability is critical for e-commerce platforms relying on Adobe Commerce, as it can facilitate account takeover and fraud. The vulnerability is tracked under CWE-79, a common and well-understood category of web application security flaws. Adobe has not yet released patches, so mitigation currently relies on defensive controls and monitoring.

The impact of CVE-2025-24413 is significant for organizations running affected Adobe Commerce versions. Successful exploitation can lead to session hijacking, allowing attackers to impersonate legitimate users, including potentially privileged accounts. This can result in unauthorized access to sensitive customer data, manipulation of orders, theft of payment information, and fraudulent transactions. The integrity of the e-commerce platform is compromised, damaging customer trust and potentially causing financial losses. Additionally, attackers could use the vulnerability as a foothold for further attacks within the network. Given the widespread use of Adobe Commerce in global e-commerce, the vulnerability poses a risk to businesses of all sizes, especially those with high traffic and valuable customer data. The requirement for low privileges and user interaction lowers the barrier for exploitation, increasing the likelihood of attacks once exploit code becomes available. The absence of known exploits currently provides a window for proactive defense, but the high severity demands urgent attention.

Organizations should immediately inventory their Adobe Commerce installations to identify affected versions. Until official patches are released, implement strict input validation and sanitization on all user-supplied data, especially in form fields exposed to users. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Enable HTTP-only and secure flags on session cookies to reduce the risk of session theft. Monitor web application logs for unusual input patterns or repeated attempts to inject scripts. Consider using Web Application Firewalls (WAFs) with rules targeting XSS attack signatures to block malicious payloads. Educate users and administrators about the risk of clicking suspicious links or visiting untrusted pages within the commerce platform. Once Adobe releases patches, prioritize timely application of updates. Conduct thorough testing post-patch to ensure the vulnerability is fully remediated. Additionally, review and harden user privilege assignments to minimize the impact of low-privileged attackers.