CVE-2024-26089 – This DOM-based Cross-Site Scripting vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-26089?

CVE-2024-26089 has a CVSS score of 5.4 (MEDIUM). This DOM-based Cross-Site Scripting vulnerability in Adobe Experience Manager allows attackers to execute arbitrary JavaScript in victims' browsers when they visit maliciously crafted pages. It affects AEM versions 6.5.20 and earlier, requiring user interaction for exploitation.

📋 TL;DR

This DOM-based Cross-Site Scripting vulnerability in Adobe Experience Manager allows attackers to execute arbitrary JavaScript in victims' browsers when they visit maliciously crafted pages. It affects AEM versions 6.5.20 and earlier, requiring user interaction for exploitation.

💻 Affected Systems

Products:

Adobe Experience Manager

Versions: 6.5.20 and earlier

Operating Systems: All platforms running AEM

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deface web content.

🟠

Likely Case

Session hijacking, credential theft, or limited client-side data exfiltration from users who interact with malicious content.

🟢

If Mitigated

With proper Content Security Policy and input validation, impact is limited to isolated client-side script execution.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (victim visiting malicious page) and knowledge of vulnerable DOM manipulation points.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.21 or later

Vendor Advisory: https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html

Restart Required: Yes

Instructions:

1. Download AEM 6.5.21 or later from Adobe Distribution. 2. Follow Adobe's upgrade documentation. 3. Restart AEM instance. 4. Verify successful upgrade.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add strict CSP headers to prevent script execution from untrusted sources

Add 'Content-Security-Policy: script-src 'self'' to web server configuration

Input Validation Filter

all

Implement server-side validation for all user inputs

Configure AEM filters to sanitize user inputs before DOM manipulation

🧯 If You Can't Patch

Implement Web Application Firewall with XSS protection rules
Restrict user access to only trusted content sources and implement network segmentation

🔍 How to Verify

Check if Vulnerable:

Check AEM version via CRXDE Lite or system console. If version is 6.5.20 or earlier, system is vulnerable.

Check Version:

curl -s http://localhost:4502/system/console/status-productinfo | grep 'Adobe Experience Manager'

Verify Fix Applied:

Verify AEM version is 6.5.21 or later and test DOM manipulation points with XSS payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript execution patterns
Suspicious DOM manipulation requests
Unexpected script tags in request parameters

Network Indicators:

Malicious script patterns in HTTP requests
Unusual outbound connections following DOM manipulation

SIEM Query:

source="aem-access.log" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-26089

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-79

Published: June 13, 2024

Last Updated: November 21, 2024

🔗 References

https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html Vendor Advisory
https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26089, you might also want to check these: