Login Sign Up

CVE-2021-43764

8.0 HIGH
Cross-Site Scripting

📋 TL;DR

This stored Cross-Site Scripting (XSS) vulnerability in Adobe Experience Manager allows attackers to inject malicious JavaScript into vulnerable form fields. When users visit pages containing these compromised fields, their browsers execute the attacker's scripts. This affects AEM Cloud Service and AEM 6.5.10.0 and earlier versions.

💻 Affected Systems

Products:
  • Adobe Experience Manager (AEM)
Versions: AEM Cloud Service, AEM 6.5.10.0 and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker access to vulnerable form fields; typically affects content authoring interfaces

📦 What is this software?

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

Experience Manager Cloud Service by Adobe

View all CVEs affecting Experience Manager Cloud Service →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal user session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on victim systems.

🟠

Likely Case

Session hijacking, credential theft, defacement of web pages, or data exfiltration from user browsers.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to vulnerable form fields; typically requires some level of user interaction or content authoring access

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: AEM 6.5.11.0 or later

Vendor Advisory: https://helpx.adobe.com/security/products/experience-manager/apsb21-103.html

Restart Required: Yes

Instructions:

1. Download AEM 6.5.11.0 or later from Adobe distribution portal. 2. Apply the service pack following Adobe's installation guide. 3. Restart AEM instance. 4. For AEM Cloud Service, Adobe automatically applies patches.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement server-side input validation and proper output encoding for all user-controllable fields

Content Security Policy

all

Implement strict Content Security Policy headers to restrict script execution

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to block XSS payloads
  • Restrict access to content authoring interfaces to trusted users only

🔍 How to Verify

Check if Vulnerable:

Check AEM version via AEM Web Console (/system/console) or by examining CRX package manager

Check Version:

curl -u admin:password http://localhost:4502/system/console/status-productinfo

Verify Fix Applied:

Verify AEM version is 6.5.11.0 or later and test form fields for XSS payload acceptance

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to form endpoints with script tags
  • Multiple failed login attempts followed by form submissions

Network Indicators:

  • HTTP requests containing script tags or JavaScript payloads in form data

SIEM Query:

source="aem_access.log" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2021-43764
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-79
Published: January 13, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43764, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)