Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN700
_____________________________________________________________________

DATE                : 15/10/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Adobe Commerce versions prior to
   2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4 p16,
                    Adobe Commerce B2B versions prior to 1.5.3-alpha3,
                  1.5.2-p3, 1.4.2-p8, 1.3.4-p13, 1.3.3-p14, 1.3.3-p16,
               Magento Open Source versions prior to 2.4.9-alpha3, 
                      2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15.

=====================================================================
https://helpx.adobe.com/security/products/magento/apsb25-94.html
_____________________________________________________________________


Last updated on Oct 14, 2025

Security update available for Adobe Commerce | APSB25-94

Bulletin ID          Date Published          Priority

APSB25-94           October 14, 2025         2


Summary

Adobe has released a security update for Adobe Commerce and Magento
Open Source. This update resolves critical and important
vulnerabilities.
Successful exploitation could lead to security feature bypass,
privilege escalation, and arbitrary code execution.

Adobe is not aware of any exploits in the wild for any of the issues
addressed in these updates.


Affected Versions

Product 	Version 	Priority Rating 	Platform
Adobe Commerce   2.4.9-alpha2 and earlier   
                 2.4.8-p2 and earlier
                 2.4.7-p7 and earlier
                 2.4.6-p12 and earlier
                 2.4.5-p14 and earlier
                 2.4.4-p15 and earlier       	2 	All

Adobe Commerce B2B   1.5.3-alpha2 and earlier
                     1.5.2-p2 and earlier
                     1.4.2-p7 and earlier
                     1.3.5-p12 and earlier
                     1.3.4-p14 and earlier
                     1.3.3-p15 and earlier     	2 	All

Magento Open Source  2.4.9-alpha2 and earlier
                     2.4.8-p2 and earlier
                     2.4.7-p7 and earlier
                     2.4.6-p12 and earlier
                     2.4.5-p14 and earlier      2 	All


Solution

Adobe categorizes these updates with the following priority
ratings and recommends users update their installation to the
newest version.

Product     Updated Version     Platform     Priority Rating
Installation Instructions

Adobe Commerce   2.4.9-alpha3 for 2.4.9-alpha2
                 2.4.8-p3 for 2.4.8-p2 and earlier
                 2.4.7-p8 for 2.4.7-p7 and earlier
                 2.4.6-p13 for 2.4.6-p12 and earlier
                 2.4.5-p15 for 2.4.5-p14 and earlier
                 2.4.4 p16 for 2.4.4-p15 and earlier
	All 	2 	2.4.x release notes

Adobe Commerce B2B   1.5.3-alpha3 for 1.5.3-alpha2
                     1.5.2-p3 for 1.5.2-p2 and earlier
                     1.4.2-p8 for 1.4.2-p7 and earlier
                     1.3.4-p13 for 1.3.4-p12 and earlier
                     1.3.3-p14 for 1.3.3-p13 and earlier
                     1.3.3-p16 for 1.3.3-p15 and earlier
	All 	2 
	 
Magento Open Source  2.4.9-alpha3 for 2.4.9-alpha2
                     2.4.8-p3 for 2.4.8-p2 and earlier
                     2.4.7-p8 for 2.4.7-p7 and earlier
                     2.4.6-p13 for 2.4.6-p12 and earlier
                     2.4.5-p15 for 2.4.5-p14 and earlier
	All 	2 	 

Adobe categorizes these updates with the following priority
ratings and recommends users update their installation to
the newest version.


Vulnerability Details

Vulnerability Category   Vulnerability Impact    Severity
Authentication required to exploit?   Exploit requires admin privileges?
    CVSS base score    CVSS vector    CVE number(s)    Notes

Improper Access Control (CWE-284)    Security feature bypass 
Critical 	Yes 	Yes 	8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 	CVE-2025-54263 

Cross-site Scripting (Stored XSS) (CWE-79) 	Privilege escalation
Critical 	Yes 	Yes 	8.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N 	CVE-2025-54264 
	 
Incorrect Authorization (CWE-863) 	Security feature bypass
Important 	No 	No 	5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 	CVE-2025-54265
 	 
Cross-site Scripting (Stored XSS) (CWE-79)   Arbitrary code execution
Important 	Yes 	Yes 	4.8
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 	CVE-2025-54266
 
Incorrect Authorization (CWE-863) 	Privilege escalation
Important 	Yes 	Yes 	6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 	CVE-2025-54267 	

 
Note

Authentication required to exploit: The vulnerability is
(or is not) exploitable without credentials.

Exploit requires admin privileges: The vulnerability is
(or is not) only exploitable by an attacker with administrative
privileges.


Acknowledgements

Adobe would like to thank the following researchers for reporting
these issues and working with Adobe to help protect our customers:

    Akash Hamal (akashhamal0x01) -- CVE-2025-54263, CVE-2025-54265, CVE-2025-54267
    wohli -- CVE-2025-54264
    Oleksii Suchalkin (schemonah) -- CVE-2025-54266

NOTE: Adobe has a public bug bounty program with HackerOne.
If you are interested in working with Adobe as an external
security researcher, please check outhttps://hackerone.com/adobe.

For more information, visit https://helpx.adobe.com/security.html,
or email PSIRT@adobe.com.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================