CVE-2024-36172 – Adobe Experience Manager versions 6.5.20 and ea... (How to Fix)

Q: What is the severity of CVE-2024-36172?

CVE-2024-36172 has a CVSS score of 5.4 (MEDIUM). Adobe Experience Manager versions 6.5.20 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability where attackers can inject malicious JavaScript into form fields. When users visit pages containing these compromised fields, their browsers execute the malicious scripts. This affects all organizations running vulnerable AEM versions.

📋 TL;DR

Adobe Experience Manager versions 6.5.20 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability where attackers can inject malicious JavaScript into form fields. When users visit pages containing these compromised fields, their browsers execute the malicious scripts. This affects all organizations running vulnerable AEM versions.

💻 Affected Systems

Products:

Adobe Experience Manager

Versions: 6.5.20 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both author and publish instances. Requires attacker access to vulnerable form fields.

📦 What is this software?

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites.

🟠

Likely Case

Attackers inject malicious scripts to steal user session data or credentials from authenticated users accessing compromised pages.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to submit data to vulnerable form fields, which typically requires some level of access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.21 or later

Vendor Advisory: https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html

Restart Required: Yes

Instructions:

1. Download AEM 6.5.21 or later from Adobe distribution. 2. Follow Adobe's upgrade procedures. 3. Restart AEM instances after upgrade.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize form field inputs

Configure AEM filters to validate and sanitize user inputs

Content Security Policy

all

Implement CSP headers to restrict script execution

Add Content-Security-Policy HTTP headers to restrict script sources

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads
Disable or restrict access to vulnerable form fields until patching is possible

🔍 How to Verify

Check if Vulnerable:

Check AEM version via admin console or CRXDE. If version is 6.5.20 or earlier, system is vulnerable.

Check Version:

Check AEM welcome page or use CRXDE to view version information

Verify Fix Applied:

Verify AEM version is 6.5.21 or later and test form fields for XSS payload acceptance.

📡 Detection & Monitoring

Log Indicators:

Unusual form submissions with script tags
Multiple failed XSS attempts in request logs

Network Indicators:

HTTP requests containing script injection patterns to form endpoints

SIEM Query:

source="aem_logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-36172

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: June 13, 2024

Last Updated: November 21, 2024

🔗 References

https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html Vendor Advisory
https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36172, you might also want to check these: