CVE-2024-20717 in Commerce
Summary
by MITRE • 02/15/2024
Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/23/2026
This vulnerability represents a critical stored cross-site scripting flaw in Adobe Commerce platforms that poses significant risks to web application security and user data integrity. The vulnerability exists within the form field processing mechanisms of affected versions, specifically those including 2.4.6-p3, 2.4.5-p5, and 2.4.4-p6 and earlier releases. A low-privileged attacker can exploit this weakness by injecting malicious JavaScript code into input fields that are subsequently stored and displayed without proper sanitization. This type of vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws where untrusted data is improperly escaped or validated before being rendered in web browsers. The attack vector leverages the application's failure to adequately filter user-supplied content, creating an environment where malicious scripts can persist and execute automatically when legitimate users access pages containing the compromised data.
The operational impact of this vulnerability extends beyond simple script execution as it enables attackers to perform various malicious activities including session hijacking, credential theft, and data exfiltration. When victims browse to pages containing the stored malicious content, their browsers execute the injected JavaScript code within the context of the vulnerable application, potentially allowing attackers to access sensitive user information, manipulate transactions, or redirect users to malicious websites. The low-privileged nature of the attack means that even users with minimal administrative rights can exploit this flaw, making it particularly dangerous in environments where multiple user roles exist. This vulnerability directly maps to attack techniques described in the MITRE ATT&CK framework under T1059.007 for scripting and T1566.001 for credential access through social engineering, as attackers can leverage this weakness to establish persistent access to user sessions.
The security implications of this stored XSS vulnerability are compounded by the nature of e-commerce environments where sensitive customer data flows through these applications regularly. Attackers could potentially harvest customer session cookies, manipulate shopping cart contents, or even redirect users during checkout processes to steal payment information. The persistence of stored scripts means that once injected, malicious code remains active until manually removed from the application's database, providing attackers with extended periods of access without requiring repeated exploitation attempts. Organizations utilizing Adobe Commerce should immediately implement comprehensive input validation and output encoding measures, ensuring all user-supplied data undergoes strict sanitization before being processed or stored. The remediation strategy must include thorough code review processes to identify all form fields and data entry points that could be vulnerable to similar injection attacks, following security best practices established by OWASP and other industry standards for preventing cross-site scripting vulnerabilities in web applications.