CVE-2025-49557 – magento/project-community-edition

Package

Manager: composer
Name: magento/project-community-edition
Vulnerable Version: >=0 <=2.0.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00041 pctl0.11513

Details

Magento Cross-site Scripting vulnerability Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be exploited by a low-privileged attacker to inject malicious scripts into vulnerable form fields. These scripts may be used to escalate privileges within the application or compromise sensitive user data. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed.

Metadata

Created: 2025-08-12T18:31:30Z
Modified: 2025-08-15T22:30:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-8mq8-c243-2335/GHSA-8mq8-c243-2335.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-8mq8-c243-2335
Finding: F425
Auto approve: 1