Login Sign Up

CVE-2024-26037

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

This DOM-based Cross-Site Scripting vulnerability in Adobe Experience Manager allows attackers to execute arbitrary JavaScript in victims' browsers by tricking users into clicking malicious links or submitting crafted forms. It affects AEM versions 6.5.20 and earlier, potentially compromising user sessions and data.

💻 Affected Systems

Products:
  • Adobe Experience Manager
Versions: 6.5.20 and earlier
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, session hijacking, data theft, and further exploitation of authenticated users' privileges within the AEM environment.

🟠

Likely Case

Session hijacking, data exfiltration from current user's session, and potential redirection to malicious sites.

🟢

If Mitigated

Limited impact due to same-origin policy restrictions and user interaction requirements, with potential for minor data leakage.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction (clicking malicious link or submitting form) and knowledge of specific vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.21 or later

Vendor Advisory: https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html

Restart Required: Yes

Instructions:

1. Download AEM 6.5.21 or later from Adobe's distribution portal. 2. Apply the service pack following Adobe's upgrade documentation. 3. Restart AEM instances. 4. Verify successful update through AEM's welcome screen version check.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional client-side and server-side input validation for user-controllable data that could reach DOM sinks.

Content Security Policy

all

Implement strict Content Security Policy headers to restrict script execution sources.

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to detect and block XSS payloads.
  • Educate users about phishing risks and suspicious links.

🔍 How to Verify

Check if Vulnerable:

Check AEM version via Welcome screen or CRXDE Lite. If version is 6.5.20 or earlier, system is vulnerable.

Check Version:

curl -k https://[aem-host]:[port]/libs/granite/core/content/login.html | grep 'AEM 6.5'

Verify Fix Applied:

Verify AEM version is 6.5.21 or later via Welcome screen. Test previously vulnerable endpoints with XSS payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual JavaScript payloads in request parameters
  • Multiple failed XSS attempts from same source
  • Suspicious redirect patterns in access logs

Network Indicators:

  • HTTP requests containing script tags or JavaScript in parameters
  • Unusual outbound connections following user interaction with AEM

SIEM Query:

source="aem-access.log" AND ("<script" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-26037
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: June 13, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26037, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)