Adobe Commerce
Moderate fix6 remedies
cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*
Moderate fix6 remedies
- <= 2.4.9-alpha2
- <= 2.4.8-p2
- <= 2.4.7-p7
- <= 2.4.6-p12
- <= 2.4.5-p14
- <= 2.4.4-p15
Adobe Commerce and Magento Open Source Stored Cross-Site Scripting Vulnerability
Vulnerability
Patched
A stored Cross-Site Scripting (XSS) vulnerability has been identified in Adobe Commerce and Magento Open Source versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier. This vulnerability allows a high-privileged attacker to inject malicious scripts into vulnerable form fields. When a victim interacts with the page containing the compromised field, the injected JavaScript could be executed in their browser. Exploitation of this vulnerability could lead to session takeover, significantly increasing risks to confidentiality and integrity.
Impact
Successful exploitation allows for the injection of malicious scripts that are executed in the context of the user's browser, potentially leading to session hijacking.
Remediation
Users are advised to update to Adobe Commerce 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15 or 2.4.4-p16. For Magento Open Source users, the recommended versions are 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13 or 2.4.5-p15.
Added: Oct 15, 2025, 12:06 AM
Updated: Oct 15, 2025, 12:06 AM
Vulnerability Rating
Custom Algorithm
spread
6.4impact
5.4exploitability
4.7remediation
7.7relevance
0.7threat
0.0urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.