5.4

CVSS Score

Basic Information

CVE ID

CVE-2025-24428

GHSA ID

GHSA-mm87-rrqx-94cr

EPSS Score

CWE

CWE-79

Published

2/11/2025

Updated

2/28/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-24428

CVE-2025-24428:
Magento stored Cross-Site Scripting (XSS) vulnerability

Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

(GitHub Advisory)

5.4

CVSS Score

Basic Information

CVE ID

CVE-2025-24428

GHSA ID

GHSA-mm87-rrqx-94cr

EPSS Score

CWE

CWE-79

Published

2/11/2025

Updated

2/28/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/community-edition	composer	>= 2.4.7-beta1, < 2.4.7-p4	2.4.7-p4
magento/community-edition	composer	>= 2.4.6-p1, < 2.4.6-p9	2.4.6-p9
magento/community-edition	composer	>= 2.4.5-p1, < 2.4.5-p11	2.4.5-p11
magento/community-edition	composer	< 2.4.4-p12	2.4.4-p12
magento/community-edition	composer	= 2.4.7
magento/community-edition	composer	= 2.4.6
magento/community-edition	composer	= 2.4.5
magento/community-edition	composer	= 2.4.4
magento/community-edition	composer	= 2.4.8-beta1
magento/project-community-edition	composer	<= 2.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability involves stored XSS in form fields requiring low privileges. Common attack vectors in Magento include customer registration forms, CMS content editing, and product management interfaces. While no specific patch details are available, these components are: 1) Core user input handlers (Account\Save), 2) CMS content persistence points (Page\Save), and 3) Frontend rendering mechanisms (Product\View). The confidence is medium as these are typical XSS vectors in Magento, but without commit diffs, we can't confirm exact vulnerable functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**o** *omm*r** v*rsions *.*.*-**t**, *.*.*-p*, *.*.*-p*, *.*.*-p**, *.*.*-p** *n* **rli*r *r* *****t** *y * stor** *ross-Sit* S*riptin* (XSS) vuln*r**ility t**t *oul* ** **us** *y * low-privil**** *tt**k*r to inj**t m*li*ious s*ripts into vuln*r**l*

Reasoning

T** vuln*r**ility involv*s stor** XSS in *orm *i*l*s r*quirin* low privil***s. *ommon *tt**k v**tors in M***nto in*lu** *ustom*r r**istr*tion *orms, *MS *ont*nt **itin*, *n* pro*u*t m*n***m*nt int*r****s. W*il* no sp**i*i* p*t** **t*ils *r* *v*il**l*

5.4

Basic Information

Concerned about an active attack path?

CVE-2025-24428: Magento stored Cross-Site Scripting (XSS) vulnerability

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-24428:
Magento stored Cross-Site Scripting (XSS) vulnerability

Vulnerability Intelligence
Miggo AI