CVE-2024-53965
Published: 05 February 2025
Summary
CVE-2024-53965 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Experience Manager. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely application of vendor patches directly remediates the DOM-based XSS vulnerability in Adobe Experience Manager as specified in the security bulletin.
Output filtering and encoding prevents malicious scripts from being rendered executable in the victim's browser when processing user inputs or URLs.
Input validation restricts crafted URLs and user inputs that could manipulate DOM elements to inject malicious scripts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
DOM-based XSS enables arbitrary JS execution in victim browser via crafted URLs/links, directly facilitating drive-by compromise and client-side scripting.
NVD Description
Adobe Experience Manager versions 6.5.21 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute arbitrary code in the context of the victim's browser session. By manipulating a…
more
DOM element through a crafted URL or user input, the attacker can inject malicious scripts that run when the page is rendered. This type of attack requires user interaction, as the victim would need to access a manipulated link or input data into a vulnerable page.
Deeper analysisAI
Adobe Experience Manager versions 6.5.21 and earlier are affected by CVE-2024-53965, a DOM-based Cross-Site Scripting (XSS) vulnerability classified under CWE-79. This flaw allows attackers to manipulate DOM elements through crafted URLs or user input, injecting malicious scripts that execute in the context of the victim's browser session when the page is rendered. The vulnerability has a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, low privileges required, user interaction needed, changed scope, low confidentiality and integrity impacts, and no availability impact.
A low-privileged attacker can exploit this vulnerability by tricking a victim into accessing a manipulated link or submitting data into a vulnerable page, requiring user interaction for success. Upon exploitation, the attacker achieves execution of arbitrary code within the victim's browser session, potentially leading to session hijacking, data theft, or further phishing attacks in the context of the affected Adobe Experience Manager instance.
Adobe has published security bulletin APSB24-69 at https://helpx.adobe.com/security/products/experience-manager/apsb24-69.html, which provides details on mitigation and available patches for this vulnerability.
Details
- CWE(s)