CVE-2024-36184 – This DOM-based Cross-Site Scripting (XSS) vulne... (How to Fix)

Q: What is the severity of CVE-2024-36184?

CVE-2024-36184 has a CVSS score of 5.4 (MEDIUM). This DOM-based Cross-Site Scripting (XSS) vulnerability in Adobe Experience Manager allows attackers to execute arbitrary JavaScript in victims' browsers when users interact with malicious content. It affects AEM versions 6.5.20 and earlier. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

📋 TL;DR

This DOM-based Cross-Site Scripting (XSS) vulnerability in Adobe Experience Manager allows attackers to execute arbitrary JavaScript in victims' browsers when users interact with malicious content. It affects AEM versions 6.5.20 and earlier. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

Adobe Experience Manager

Versions: 6.5.20 and earlier

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, data theft, or malicious actions performed as authenticated users if combined with other vulnerabilities.

🟠

Likely Case

Session hijacking, credential theft, or defacement of user-facing content.

🟢

If Mitigated

Limited impact due to user interaction requirement and proper input validation/sanitization.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (clicking malicious link or submitting crafted form).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.21 or later

Vendor Advisory: https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html

Restart Required: Yes

Instructions:

1. Download AEM 6.5.21 or later from Adobe Distribution portal. 2. Apply the Service Pack following Adobe's upgrade documentation. 3. Restart AEM instances. 4. Verify successful update.

🔧 Temporary Workarounds

Content Security Policy (CSP)

all

Implement strict CSP headers to restrict script execution from untrusted sources.

Add 'Content-Security-Policy' header with appropriate directives

Input Validation

all

Implement server-side validation and sanitization of all user inputs.

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) with XSS protection rules
Restrict user access to only trusted domains and implement clickjacking protection

🔍 How to Verify

Check if Vulnerable:

Check AEM version via CRXDE Lite or OSGi console. If version is 6.5.20 or earlier, system is vulnerable.

Check Version:

curl -u admin:password http://localhost:4502/system/console/status-productinfo

Verify Fix Applied:

Verify AEM version is 6.5.21 or later and test XSS payloads no longer execute.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript payloads in request logs
Suspicious form submissions with script tags

Network Indicators:

Requests containing script injection patterns
Unusual redirects to external domains

SIEM Query:

source="aem-access.log" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-36184

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: June 13, 2024

Last Updated: November 21, 2024

🔗 References

https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html Vendor Advisory
https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36184, you might also want to check these: