Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Confidentiality and integrity are considered high due to having admin impact.

Affected Packages

Packagist magento/community-edition

Affected versions: 2.4.7-beta1 (fixed in 2.4.7)

Packagist magento/community-edition

Affected versions: 2.4.6-p1 (fixed in 2.4.6-p5)

Packagist magento/community-edition

Affected versions: 2.4.5-p1 (fixed in 2.4.5-p7)

Packagist magento/community-edition

Affected versions: 2.4.4-p1 (fixed in 2.4.4-p8)

Packagist magento/project-community-edition

Affected versions: 0 (last affected: 2.0.2)

Related CVEs

CVE-2024-20759

Key Information

GHSA ID

GHSA-59vf-hjxc-f9c5

Published

April 10, 2024 3:30 PM

Last Modified

March 4, 2025 6:53 PM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

magento/community-edition

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 1, 2025 6:44 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.