Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin attacker to inject malicious scripts into every admin page. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field, that could be leveraged to gain admin access.

Affected Packages

Packagist magento/community-edition

Affected versions: 2.4.6-p1 (fixed in 2.4.6-p4)

Packagist magento/community-edition

Affected versions: 2.4.5-p1 (fixed in 2.4.5-p6)

Packagist magento/community-edition

Affected versions: 2.4.4-p1 (fixed in 2.4.4-p7)

Packagist magento/project-community-edition

Affected versions: 0 (last affected: 2.0.2)

Related CVEs

CVE-2024-20719

Key Information

GHSA ID

GHSA-264g-f7v8-q5qq

Published

February 15, 2024 3:30 PM

Last Modified

March 4, 2025 6:52 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

magento/community-edition

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 1, 2025 6:44 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.