Adobe Commerce/Magento Security Advisory APSB25-71: Multiple CVEs (RCE/XSS/Priv Esc)

### Critical Vulnerability Information #### Vulnerability Advisory - **Advisory ID**: APSB25-71 - **Release Date**: August 12, 2025 - **Priority**: 2 #### Affected Versions - **Adobe Commerce** - Versions: 2.4.x-advisory, 2.4.x-patch, 2.4.x-cumulative, 2.4.x-patch-and-cumulative - Platforms: All - **Adobe Commerce EE** - Versions: 1.15.x-advisory, 1.15.x-patch, 1.15.x-cumulative, 1.15.x-patch-and-cumulative - Platforms: All - **Magento Open Source** - Versions: 2.4.x-advisory, 2.4.x-patch, 2.4.x-cumulative, 2.4.x-patch-and-cumulative - Platforms: All #### Remediation - **Adobe Commerce** - Updated Versions: 2.4.6-advisory, 2.4.7-p3, 2.4.7-p2, 2.4.5-p4, 2.4.4-p5 - Platforms: All - Priority: 2 - **Adobe Commerce EE** - Updated Versions: 1.15.6-patch-2, 1.15.5-p3, 1.15.4-p4, 1.15.3-p5 - Platforms: All - Priority: 7 - **Magento Open Source** - Updated Versions: 2.4.6-advisory, 2.4.7-p2, 2.4.7-p1, 2.4.5-p2, 2.4.4-p3 - Platforms: All - Priority: 7 #### Vulnerability Details | Vulnerability Category | Impact | Severity | Authentication Required for Exploitation | Privilege Escalation to Admin | CVSS Base Score | |------------------------|--------|----------|----------------------------------------|-----------------------------|-----------------| | CVE-2025-XXXX | Application Denial of Service | Critical | No | No | 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | | CVE-2025-YYYY | Cross-Site Scripting | Critical | Yes | Yes | 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H | | CVE-2025-ZZZZ | Insecure Authorization | Critical | Yes | Yes | 7.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | | CVE-2025-WWWW | Command Injection | Medium | Yes | Yes | 6.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | | CVE-2025-VVVV | Race Condition | Low | No | No | 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | | CVE-2025-UUUU | Invalid File Path | Important | Yes | Yes | 5.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | #### Notes - **Authentication Required for Exploitation**: Indicates whether the vulnerability can be exploited with (or without) valid credentials. - **Privilege Escalation to Admin**: Indicates whether the vulnerability allows privilege escalation, i.e., whether it can be exploited by a user with admin privileges (or not).

Goal Reached Thanks to every supporter — we hit 100%!

Adobe Commerce/Magento Security Advisory APSB25-71: Multiple CVEs (RCE/XSS/Priv Esc)