Magento Security Release APSB25-08 [Impact Analysis]
by Sansec Forensics Team
Published in Threat Research − February 12, 2025
Critical (CVSS 9.4) release enables attackers to take control of customer accounts.
![Magento Security Release APSB25-08 [Impact Analysis]](/assets/2023/og/720/og-graphic-2.webp)
APSB25-08 released on Feb 11th, 2025
Critical Adobe Commerce/Magento security patches have just been released (CVSS 9.4/10)
New versions: 2.4.4-p12, 2.4.5-p11, 2.4.6-p9, 2.4.7-p4, additionally 2.4.8-beta2. You should schedule an upgrade ASAP.
- Request validation was added to the Asynchronous Web API. This is a port of CVE-2023-38218, which previously received an 8.8 CVSS score (see our analysis) but is now a critical 9.4. Unauthorized attackers can take control of customer accounts. There is an isolated patch available if you cannot upgrade.
- Several stored XSS that could be exploited with admin access. Areas affected are system configuration, product edit page, customer edit page, and the dashboard.
- A locking mechanism was added to prevent coupons from being used more than their allowed limit.
- In the wake of CosmicSting, a new "extensible data re-encryption mechanism" was added to make changing your encryption key less painful. Despite Adobes claim that it is in 2.4.8-beta only, it is present in the 2.4.4 patch as well.
- A directory traversal issue was fixed that would allow admins to download arbitrary files within the
varfolder. - TinyMCE was downgraded from version 7 to version 6 due to compatibility issues with OSL (thanks Fabrizio Balliano and Tu Van)
eComscan will alert you about vulnerable installations.
Read more
In this article
Easy CSP for your store?
Try Sansec Watch! Free, simple and fully integrated. Get PCI compliant alerting with minimal effort.
Sansec WatchScan your store now
for malware & vulnerabilities
$ curl ecomscan.com | sh
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.
Learn more
