CVE-2024-36235 – This DOM-based Cross-Site Scripting vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-36235?

CVE-2024-36235 has a CVSS score of 5.4 (MEDIUM). This DOM-based Cross-Site Scripting vulnerability in Adobe Experience Manager allows attackers to execute arbitrary JavaScript in victims' browsers by tricking users into clicking malicious links or submitting forms. It affects Adobe Experience Manager versions 6.5.20 and earlier, potentially compromising user sessions and data.

📋 TL;DR

This DOM-based Cross-Site Scripting vulnerability in Adobe Experience Manager allows attackers to execute arbitrary JavaScript in victims' browsers by tricking users into clicking malicious links or submitting forms. It affects Adobe Experience Manager versions 6.5.20 and earlier, potentially compromising user sessions and data.

💻 Affected Systems

Products:

Adobe Experience Manager

Versions: 6.5.20 and earlier

Operating Systems: All platforms running AEM

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, session hijacking, data theft, and further system compromise through chained attacks.

🟠

Likely Case

Session hijacking, data exfiltration, and unauthorized actions performed in the victim's context.

🟢

If Mitigated

Limited impact due to proper input validation, output encoding, and Content Security Policy implementation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (clicking malicious link or submitting form). Attackers need to craft specific payloads targeting DOM manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.21 or later

Vendor Advisory: https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html

Restart Required: Yes

Instructions:

1. Download Adobe Experience Manager 6.5.21 or later from Adobe's official distribution. 2. Follow Adobe's upgrade documentation for your deployment type (on-premise or cloud). 3. Apply the update to all affected instances. 4. Restart the AEM service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add strict CSP headers to limit script execution sources and prevent inline scripts.

Add 'Content-Security-Policy: script-src 'self'' to web server configuration

Input Validation Filter

all

Implement server-side input validation for all user-controllable inputs that affect DOM.

Configure AEM filters to sanitize user inputs before DOM manipulation

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) with XSS protection rules
Disable or restrict user access to vulnerable components if possible

🔍 How to Verify

Check if Vulnerable:

Check AEM version via admin console or system/console/status page. If version is 6.5.20 or earlier, system is vulnerable.

Check Version:

curl -k https://[aem-host]:[port]/system/console/status-productinfo | grep 'Adobe Experience Manager'

Verify Fix Applied:

Verify AEM version is 6.5.21 or later. Test vulnerable endpoints with safe XSS payloads to confirm mitigation.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript payloads in request logs
Multiple failed attempts with script-like parameters
Requests to known vulnerable endpoints with encoded payloads

Network Indicators:

HTTP requests containing script tags or JavaScript in parameters
Unusual redirect patterns to external domains

SIEM Query:

source="aem_access.log" AND ("<script" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-36235

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: June 13, 2024

Last Updated: November 21, 2024

🔗 References

https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html Vendor Advisory
https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36235, you might also want to check these: