Detections
Analytics

Adobe Commerce/Magento Open Source Multiple Vulnerabilities (APSB25-71)

high Nessus Plugin ID 261776

Language:

Synopsis

The Adobe Commerce/Magento Open Source instance installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Adobe Commerce/Magento Open Source installed on the remote host it is, therefore, affected by multiple vulnerabilities as referenced in the APSB25-71 advisory.

 - Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Input Validation vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability by providing specially crafted input, causing the application to crash or become unresponsive. Exploitation of this issue does not require user interaction. (CVE-2025-49554)

 - Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in privilege escalation. A high-privileged attacker could trick a victim into executing unintended actions on a web application where the victim is authenticated, potentially allowing unauthorized access or modification of sensitive data. Exploitation of this issue requires user interaction in that a victim must visit a malicious website or click on a crafted link. Scope is changed. (CVE-2025-49555)

 - Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be exploited by a low-privileged attacker to inject malicious scripts into vulnerable form fields. These scripts may be used to escalate privileges within the application or compromise sensitive user data. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed. (CVE-2025-49557)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Adobe Commerce/Magento Open Source version as advised

See Also

http://www.nessus.org/u?e35841c8

Plugin Details

Severity: High

ID: 261776

File Name: adobe_commerce_apsb25-71.nasl

Version: 1.1

Type: local

Agent: unix

Family: Misc.

Published: 9/9/2025

Updated: 9/9/2025

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.1

CVSS v2

Risk Factor: High

Base Score: 8.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:N

CVSS Score Source: CVE-2025-49557

CVSS v3

Risk Factor: High

Base Score: 8.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Vulnerability Information

CPE: cpe:/a:adobe:commerce, cpe:/a:adobe:magento

Patch Publication Date: 10/8/2024

Vulnerability Publication Date: 10/8/2024

Reference Information

CVE: CVE-2025-49554, CVE-2025-49555, CVE-2025-49556, CVE-2025-49557, CVE-2025-49558, CVE-2025-49559