Key detail from vendor description: Adobe Commerce versions 2.4.9‑alpha3, 2.4.8‑p3, 2.4.7‑p8, 2.4.6‑p13, 2.4.5‑p15, 2.4.4‑p16 and earlier are affected by a stored Cross‑Site Scripting (XSS) vulnerability that could be abused by a low‑privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field, enabling session takeover, which increases confidentiality and integrity impact to high. Exploitation requires a user to visit the page containing the vulnerable field.

Affected systems include Adobe Commerce (Magento) platform, version 2.4.9‑alpha3 and all preceding release candidates and patches up to and including 2.4.4‑p16. The impacted products span multiple product lines including Adobe Commerce B2B and the open‑source Magento distribution, as evidenced by the extensive list of CPE identifiers in the CVE data.

Risk: The vulnerability has a CVSS base score of 8.7, indicating high severity. EPSS score of less than 1% suggests a low probability of exploitation in the wild, but the impact of a successful attack is significant. The attack vector is a stored XSS that requires an attacker to inject malicious content into form fields that are not properly sanitized, which is then rendered when a victim accesses the page. Attackers with low privileges can exploit the flaw, potentially causing session hijacking and revoking the confidentiality and integrity of user sessions.