8.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-24412

GHSA ID

GHSA-m4rg-mpp2-97px

EPSS Score

0.1521%

CWE

CWE-79

Published

2/11/2025

Updated

2/28/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-24412

CVE-2025-24412: Magento Stored Cross-Site Scripting (XSS) Vulnerability

Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.

(GitHub Advisory)

8.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-24412

GHSA ID

GHSA-m4rg-mpp2-97px

EPSS Score

0.1521%

CWE

CWE-79

Published

2/11/2025

Updated

2/28/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/community-edition	composer	>= 2.4.7-beta1, < 2.4.7-p4	2.4.7-p4
magento/community-edition	composer	>= 2.4.6-p1, < 2.4.6-p9	2.4.6-p9
magento/community-edition	composer	>= 2.4.5-p1, < 2.4.5-p11	2.4.5-p11
magento/community-edition	composer	< 2.4.4-p12	2.4.4-p12
magento/community-edition	composer	= 2.4.7
magento/community-edition	composer	= 2.4.6
magento/community-edition	composer	= 2.4.5
magento/community-edition	composer	= 2.4.4
magento/community-edition	composer	= 2.4.8-beta1
magento/project-community-edition	composer	<= 2.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper output encoding in form field rendering mechanisms. While exact patch details are unavailable, Magento's XSS vulnerabilities typically occur in:

Block rendering logic (AbstractBlock::toHtml) where dynamic content is injected into templates without escaping
UI component form elements (AbstractElement::getHtml) that handle user-inputted values These components are central to form rendering across admin/frontend interfaces, aligning with the 'low-privileged attacker' scenario. Confidence is medium due to the pattern matching with historical Magento XSS issues, though unconfirmed without commit diffs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**o** *omm*r** v*rsions *.*.*-**t**, *.*.*-p*, *.*.*-p*, *.*.*-p**, *.*.*-p** *n* **rli*r *r* *****t** *y * stor** *ross-Sit* S*riptin* (XSS) vuln*r**ility t**t *oul* ** **us** *y * low-privil**** *tt**k*r to inj**t m*li*ious s*ripts into vuln*r**l*

Reasoning

T** vuln*r**ility st*ms *rom improp*r output *n*o*in* in *orm *i*l* r*n**rin* m****nisms. W*il* *x**t p*t** **t*ils *r* un*v*il**l*, M***nto's XSS vuln*r**iliti*s typi**lly o**ur in: *. *lo*k r*n**rin* lo*i* (**str**t*lo*k::to*tml) w**r* *yn*mi* *ont

8.7

Basic Information

Concerned about an active attack path?

CVE-2025-24412: Magento Stored Cross-Site Scripting (XSS) Vulnerability

8.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI