Login Sign Up

CVE-2024-26049

4.8 MEDIUM
Cross-Site Scripting

📋 TL;DR

This stored Cross-Site Scripting (XSS) vulnerability in Adobe Experience Manager allows privileged attackers to inject malicious JavaScript into vulnerable form fields. When victims browse pages containing these fields, their browsers execute the attacker's scripts. This affects Adobe Experience Manager versions 6.5.20 and earlier.

💻 Affected Systems

Products:
  • Adobe Experience Manager
Versions: 6.5.20 and earlier
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Requires privileged attacker access to exploit; affects both AEM Author and Publish instances

📦 What is this software?

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privileged attacker steals administrator credentials, takes full control of the AEM instance, and compromises all managed content and user data.

🟠

Likely Case

Privileged attacker performs session hijacking, steals sensitive data from user sessions, or defaces website content.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before reaching user browsers.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated privileged access; stored XSS attacks are well-understood attack vectors

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.21 or later

Vendor Advisory: https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html

Restart Required: Yes

Instructions:

1. Download Adobe Experience Manager 6.5.21 or later from Adobe's distribution portal. 2. Apply the service pack following Adobe's installation instructions. 3. Restart all AEM instances. 4. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement custom servlet filters to sanitize all user input in form fields

Implement Java servlet filter with OWASP Java Encoder library

Content Security Policy

all

Implement strict CSP headers to prevent script execution from untrusted sources

Add 'Content-Security-Policy' header with script-src 'self'

🧯 If You Can't Patch

  • Restrict privileged user access to only trusted administrators
  • Implement web application firewall (WAF) rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check AEM version via CRXDE Lite or system console; if version is 6.5.20 or earlier, system is vulnerable

Check Version:

curl -u admin:password http://localhost:4502/system/console/status-productinfo

Verify Fix Applied:

Verify AEM version is 6.5.21 or later and test form fields with XSS payloads to confirm sanitization

📡 Detection & Monitoring

Log Indicators:

  • Unusual content modifications by privileged users
  • JavaScript payloads in request logs
  • Multiple failed XSS attempts

Network Indicators:

  • Suspicious script tags in HTTP requests
  • Unusual outbound connections from user browsers

SIEM Query:

source="aem-access.log" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-26049
CVSS v3 Score: 4.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: June 13, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26049, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)