CVE-2024-20719 CRITICAL

CVE-2024-20719: [Adobe Commerce] Stored XSS from low privileged admin user on every admin page, bypassing CVE-2023-29297

Vendor Adobe
Product Adobe Commerce
Weakness CWE-79 · XSS
Published February 15, 2024
Last update August 1, 2024
View on NVD All CVEs

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin attacker to inject malicious scripts into every admin page. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field, that could be leveraged to gain admin access.

Key dates

02Disclosure timeline

February 15, 2024 CVE published
August 1, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-58857 WordPress Table of content Plugin <= 1.5.3.1 - Cross Site Request Forgery (CSRF) Vulnerability CVE-2023-2395 Netgear SRX5308 Web Management Interface cross site scripting CVE-2022-43579 IBM Sterling B2B Integrator Standard Edition cross-site scripting CVE-2025-46437 WordPress Tayori Form plugin <= 1.2.9 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-2525 MAGESH-K21 Online-College-Event-Hall-Reservation-System receipt.php cross site scripting