CVE-2024-36190 – This DOM-based Cross-Site Scripting vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-36190?

CVE-2024-36190 has a CVSS score of 5.4 (MEDIUM). This DOM-based Cross-Site Scripting vulnerability in Adobe Experience Manager allows attackers to execute malicious JavaScript in victims' browsers when they interact with specially crafted content. It affects AEM versions 6.5.20 and earlier. Attackers could potentially steal session cookies, redirect users, or perform actions on their behalf.

📋 TL;DR

This DOM-based Cross-Site Scripting vulnerability in Adobe Experience Manager allows attackers to execute malicious JavaScript in victims' browsers when they interact with specially crafted content. It affects AEM versions 6.5.20 and earlier. Attackers could potentially steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

Adobe Experience Manager

Versions: 6.5.20 and earlier

Operating Systems: All platforms running AEM

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker steals administrator session cookies, gains full control of AEM instance, and potentially accesses sensitive content or deploys additional malware.

🟠

Likely Case

Attacker steals user session cookies to impersonate legitimate users, potentially accessing unauthorized content or performing limited administrative actions.

🟢

If Mitigated

With proper input validation and output encoding, the attack fails to execute, resulting in no impact beyond failed exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (clicking malicious link or submitting form). No public exploit code available as of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.21 or later

Vendor Advisory: https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html

Restart Required: Yes

Instructions:

1. Download AEM 6.5.21 or later from Adobe distribution portal. 2. Backup current instance. 3. Apply the update following Adobe's upgrade documentation. 4. Restart AEM services. 5. Verify successful update.

🔧 Temporary Workarounds

Content Security Policy Implementation

all

Implement strict CSP headers to restrict script execution from untrusted sources

Add 'Content-Security-Policy: script-src 'self'' to web server configuration

Input Validation Filter

all

Deploy custom servlet filter to sanitize user inputs before processing

Implement javax.servlet.Filter to validate and sanitize all user inputs

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) with XSS protection rules
Disable or restrict user-submitted content features in AEM

🔍 How to Verify

Check if Vulnerable:

Check AEM version via AEM Web Console (/system/console/bundles) or CRXDE Lite. If version is 6.5.20 or earlier, system is vulnerable.

Check Version:

curl -s http://localhost:4502/system/console/bundles | grep 'Adobe Experience Manager'

Verify Fix Applied:

Verify AEM version is 6.5.21 or later. Test XSS payloads in user input fields to confirm they are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript payloads in request logs
Multiple failed XSS attempts in access logs
Suspicious user agent strings containing script tags

Network Indicators:

HTTP requests containing script tags or JavaScript events in parameters
Unusual redirect patterns from AEM instance

SIEM Query:

source="aem_access.log" AND ("<script>" OR "javascript:" OR "onclick=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-36190

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: June 13, 2024

Last Updated: November 21, 2024

🔗 References

https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html Vendor Advisory
https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36190, you might also want to check these: