CVE-2025-24417 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. The vulnerability arises from insufficient sanitization of user input in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is stored on the server and later executed in the browsers of users who access the affected pages. This stored XSS can be exploited to hijack user sessions, steal cookies, or perform actions on behalf of the victim, thereby compromising confidentiality and integrity. The CVSS 3.1 base score is 8.7, reflecting network attack vector, low attack complexity, low privileges required, and user interaction needed, with a scope change and high impact on confidentiality and integrity but no impact on availability. Although no active exploits have been reported, the vulnerability poses a significant risk to e-commerce platforms relying on Adobe Commerce, as attackers can leverage it to compromise customer accounts and sensitive data. The vulnerability is categorized under CWE-79, which is a common and well-understood web application security weakness. Adobe has not yet published patches, so organizations must monitor for updates and apply them promptly once available.

The impact of CVE-2025-24417 is considerable for organizations using Adobe Commerce, particularly those operating online retail platforms. Successful exploitation can lead to session hijacking, allowing attackers to impersonate legitimate users, including customers or administrators, potentially leading to unauthorized transactions, data theft, or manipulation of store content. The confidentiality of user data, including personal and payment information, is at risk, as is the integrity of the e-commerce platform. Although availability is not directly impacted, the reputational damage and potential regulatory consequences from data breaches can be severe. Given the widespread use of Adobe Commerce globally, especially among medium to large enterprises, this vulnerability could be leveraged in targeted attacks or broad campaigns against online retailers. The requirement for user interaction (victim visiting a maliciously crafted page) slightly limits exploitation but does not eliminate risk, especially in phishing or social engineering scenarios.

Organizations should immediately review their Adobe Commerce deployments and identify if they are running affected versions. Although no official patches are currently available, administrators should: 1) Implement strict input validation and sanitization on all user-supplied data fields to prevent script injection. 2) Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3) Educate users and administrators about phishing risks to reduce the chance of user interaction with malicious content. 4) Monitor web application logs for unusual input patterns or script injection attempts. 5) Restrict privileges of users who can submit data to vulnerable fields to the minimum necessary. 6) Prepare to apply Adobe’s official patches immediately upon release. 7) Consider using Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting Adobe Commerce. These steps will reduce the attack surface and mitigate exploitation risks until patches are deployed.