Login Sign Up

CVE-2024-26074

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

This stored Cross-Site Scripting (XSS) vulnerability in Adobe Experience Manager allows attackers to inject malicious JavaScript into vulnerable form fields. When users visit pages containing these compromised fields, their browsers execute the attacker's code. This affects Adobe Experience Manager versions 6.5.20 and earlier.

💻 Affected Systems

Products:
  • Adobe Experience Manager
Versions: 6.5.20 and earlier
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker access to vulnerable form fields; affects both author and publish instances

📦 What is this software?

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack user sessions, deface websites, or redirect users to malicious sites, potentially leading to complete system compromise.

🟠

Likely Case

Attackers steal user session cookies or credentials, perform actions on behalf of authenticated users, or deface specific website components.

🟢

If Mitigated

With proper input validation and output encoding, the vulnerability would be prevented, though the underlying code flaw remains.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires attacker to have access to vulnerable form fields; stored XSS means payload persists

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.21 or later

Vendor Advisory: https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html

Restart Required: Yes

Instructions:

1. Download Adobe Experience Manager 6.5.21 or later from Adobe's distribution portal. 2. Apply the service pack following Adobe's installation guide. 3. Restart all AEM instances. 4. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement custom servlet filters to sanitize all user input before processing

Implement Java servlet filter with OWASP Java Encoder library

Content Security Policy

all

Implement strict CSP headers to limit script execution

Add 'Content-Security-Policy' header with script-src directives

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block XSS payloads
  • Disable or restrict access to vulnerable form fields through permissions

🔍 How to Verify

Check if Vulnerable:

Check AEM version via CRXDE Lite or system console; versions 6.5.20 or earlier are vulnerable

Check Version:

curl -u admin:password http://localhost:4502/system/console/status-productinfo

Verify Fix Applied:

Verify version is 6.5.21 or later; test form fields with XSS payloads to confirm sanitization

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to form endpoints
  • Requests containing script tags or JavaScript in parameters

Network Indicators:

  • HTTP requests with suspicious script payloads in form data

SIEM Query:

source="aem_access.log" AND ("<script" OR "javascript:" OR "onload=" OR "onerror=")

📊 Metadata

CVE ID: CVE-2024-26074
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: June 13, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26074, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)