CVE-2025-24415: 
PHP vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-24415) affects Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier. The vulnerability was disclosed on February 11, 2025, and could be exploited by a low-privileged attacker to inject malicious scripts into vulnerable form fields (Adobe Security, NVD).

The vulnerability is classified as a stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 8.9 (Critical), and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L. The vulnerability requires both authentication and admin privileges to exploit (Adobe Security).

When successfully exploited, malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. This can lead to arbitrary code execution and potential session takeover, resulting in high confidentiality and integrity impact (NVD).

Adobe has released security updates to address this vulnerability. Users should update to the following versions based on their current installation: 2.4.8-beta2 for 2.4.8-beta1 users, 2.4.7-p4 for 2.4.7-p3 and earlier, 2.4.6-p9 for 2.4.6-p8 and earlier, 2.4.5-p11 for 2.4.5-p10 and earlier, or 2.4.4-p12 for 2.4.4-p11 and earlier (Adobe Security).

The vulnerability was reported by security researcher 'wohlie' as part of Adobe's private, invite-only bug bounty program with HackerOne (Adobe Security).