Login Sign Up

CVE-2024-36168

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

This stored Cross-Site Scripting (XSS) vulnerability in Adobe Experience Manager allows attackers to inject malicious JavaScript into vulnerable form fields. When users visit pages containing these compromised fields, their browsers execute the attacker's scripts. This affects Adobe Experience Manager versions 6.5.20 and earlier.

💻 Affected Systems

Products:
  • Adobe Experience Manager
Versions: 6.5.20 and earlier
Operating Systems: All platforms running AEM
Default Config Vulnerable: ⚠️ Yes
Notes: Affects both AEM Author and Publish instances. Vulnerability exists in form fields that don't properly sanitize user input.

📦 What is this software?

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on victim systems.

🟠

Likely Case

Session hijacking, credential theft, defacement of web pages, or redirection to phishing sites.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires ability to submit data to vulnerable form fields. Typically requires some level of access to the AEM interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.21 or later

Vendor Advisory: https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html

Restart Required: Yes

Instructions:

1. Download Adobe Experience Manager 6.5.21 or later from Adobe's distribution portal. 2. Apply the service pack following Adobe's installation guide. 3. Restart the AEM instance. 4. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side input validation and output encoding for all form fields

Content Security Policy

all

Implement strict CSP headers to prevent script execution from untrusted sources

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block XSS payloads
  • Disable or restrict access to vulnerable form fields and components

🔍 How to Verify

Check if Vulnerable:

Check AEM version via the Welcome screen or OSGi console. Versions 6.5.20 and earlier are vulnerable.

Check Version:

Check via AEM Welcome screen or use CRXDE Lite to examine /libs/cq/core/content/welcome.html

Verify Fix Applied:

Verify AEM version is 6.5.21 or later and test form fields for proper input sanitization.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to form endpoints
  • Requests containing script tags or JavaScript in form data

Network Indicators:

  • HTTP requests with suspicious payloads in form parameters
  • Outbound connections to unknown domains following form submissions

SIEM Query:

source="aem-access.log" AND ("<script>" OR "javascript:" OR "onload=" OR "onerror=")

📊 Metadata

CVE ID: CVE-2024-36168
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: June 13, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36168, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)