CVE-2025-24428: 
PHP vulnerability analysis and mitigation

Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. The vulnerability was disclosed on February 11, 2025 (NVD, Adobe Security).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) (CWE-79) with a CVSS v3.1 base score of 5.4 (Important) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability requires authentication to exploit but does not require administrative privileges (Adobe Security).

When successfully exploited, this vulnerability could lead to arbitrary code execution. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field (NVD).

Adobe has released security updates to address this vulnerability. Users are recommended to update to Adobe Commerce versions 2.4.8-beta2 (for 2.4.8-beta1), 2.4.7-p4 (for 2.4.7-p3 and earlier), 2.4.6-p9 (for 2.4.6-p8 and earlier), 2.4.5-p11 (for 2.4.5-p10 and earlier), or 2.4.4-p12 (for 2.4.4-p11 and earlier) (Adobe Security).

The vulnerability was reported by security researcher thlassche, who was acknowledged by Adobe for their contribution to discovering and reporting this security issue (Adobe Security).