CVE-2024-49524
Published: 07 November 2024
Summary
CVE-2024-49524 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Experience Manager. Its CVSS base score is 5.4 (Medium).
Operationally, ranked in the top 8.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Adobe Experience Manager versions 6.5.20 and earlier are affected by a DOM-based Cross-Site Scripting vulnerability tracked as CVE-2024-49524. The flaw, assigned CWE-79, allows an attacker to execute arbitrary code within the victim's browser session by manipulating a DOM element through a crafted URL or user input, with the malicious scripts executing upon page rendering.
An attacker with low privileges can exploit the issue over the network by supplying crafted input that triggers the vulnerability, though successful exploitation requires the victim to interact with the manipulated URL or input. The attack yields limited impacts to confidentiality and integrity in a changed scope, as reflected in its CVSS 3.1 score of 5.4.
The Adobe security advisory at https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html addresses mitigation steps and available patches for the affected Experience Manager versions. The associated EPSS score remains flat at 0.0719 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-43456
Vulnerability details
Adobe Experience Manager versions 6.5.20 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by an attacker to execute arbitrary code in the context of the victim's browser session. By manipulating a DOM element…
more
through a crafted URL or user input, the attacker can inject malicious scripts that run when the page is rendered. This type of attack requires user interaction, as the victim would need to access a manipulated URL or provide specific input to trigger the vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.