CVE-2025-24417: 
PHP vulnerability analysis and mitigation

Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. The vulnerability was disclosed on February 11, 2025, and has been assigned identifier CVE-2025-24417 (Adobe Security, NVD).

The vulnerability is classified as a stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 8.7 HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N). The vulnerability requires authentication to exploit and admin privileges. When exploited, malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field (Adobe Security).

A successful exploitation of this vulnerability could lead to arbitrary code execution and session takeover, with high confidentiality and integrity impact. The vulnerability affects multiple versions of Adobe Commerce and requires user interaction to be exploited (Adobe Security).

Adobe has released security updates to address this vulnerability. Users should update to the following versions based on their current installation: Adobe Commerce 2.4.8-beta2 for 2.4.8-beta1, 2.4.7-p4 for 2.4.7-p3 and earlier, 2.4.6-p9 for 2.4.6-p8 and earlier, 2.4.5-p11 for 2.4.5-p10 and earlier, or 2.4.4-p12 for 2.4.4-p11 and earlier (Adobe Security).