Cyber Resilience

CVE-2024-53963

Medium

Published: 05 February 2025

Published
05 February 2025
Modified
11 February 2025
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0536 90.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53963 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Experience Manager. Its CVSS base score is 5.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

Adobe Experience Manager versions 6.5.21 and earlier contain a DOM-based cross-site scripting vulnerability tracked as CVE-2024-53963. The flaw, classified under CWE-79, allows manipulation of a DOM element via crafted input or URL parameters, causing attacker-controlled scripts to execute in the context of a victim's browser session when the page renders.

A low-privileged attacker can trigger the issue by supplying malicious input that a victim subsequently accesses or interacts with. Successful exploitation yields arbitrary script execution with limited impact on confidentiality and integrity but no direct availability effect, as reflected in the CVSS 5.4 score requiring both low privileges and user interaction.

The Adobe advisory APSB24-69 at helpx.adobe.com/security/products/experience-manager/apsb24-69.html addresses the issue and is the primary source for remediation guidance. The associated EPSS score has remained flat at 0.0536 with no material increase since disclosure.

EU & UK References

Vulnerability details

Adobe Experience Manager versions 6.5.21 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute arbitrary code in the context of the victim's browser session. By manipulating a…

more

DOM element through a crafted URL or user input, the attacker can inject malicious scripts that run when the page is rendered. This type of attack requires user interaction, as the victim would need to access a manipulated link or input data into a vulnerable page.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

DOM-based XSS in public-facing AEM enables direct exploitation of the web app (T1190) with arbitrary JavaScript execution in victim browser (T1059.007) via crafted input/links.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-64539Same product: Adobe Experience Manager
CVE-2024-53965Same product: Adobe Experience Manager
CVE-2025-64538Same product: Adobe Experience Manager
CVE-2025-64537Same product: Adobe Experience Manager
CVE-2025-49533Same product: Adobe Experience Manager
CVE-2026-21284Same vendor: Adobe
CVE-2025-24416Same vendor: Adobe
CVE-2026-21361Same vendor: Adobe
CVE-2025-24410Same vendor: Adobe
CVE-2025-24438Same vendor: Adobe

Affected Assets

adobe
experience manager
≤ 6.5.22 · ≤ 2024.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 Flaw Remediation directly addresses this DOM-based XSS vulnerability by requiring identification, reporting, and patching of the flaw as detailed in Adobe's APSB24-69 bulletin.

prevent

SI-10 Information Input Validation prevents exploitation by checking and validating crafted URLs and user inputs to block malicious script injection.

prevent

SI-15 Information Output Filtering mitigates DOM-based XSS by encoding and filtering outputs to neutralize injected scripts when pages are rendered in the victim's browser.

References