Cyber Resilience

CVE-2024-53965

Medium

Published: 05 February 2025

Published
05 February 2025
Modified
11 February 2025
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0536 90.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53965 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Experience Manager. Its CVSS base score is 5.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

Adobe Experience Manager versions 6.5.21 and earlier contain a DOM-based cross-site scripting vulnerability tracked as CVE-2024-53965. The flaw, classified under CWE-79, allows manipulation of DOM elements via crafted URLs or user input, enabling injection of scripts that execute in the victim's browser context when the page renders. It carries a CVSS 3.1 score of 5.4 reflecting network attack vector, low complexity, low privileges required, and required user interaction with changed scope but limited impact on confidentiality and integrity.

A low-privileged attacker can exploit the issue by supplying a malicious link or input that a victim must access or interact with, resulting in arbitrary script execution within the victim's browser session. This can lead to actions such as session hijacking or unauthorized actions performed on behalf of the authenticated user.

The Adobe advisory at helpx.adobe.com/security/products/experience-manager/apsb24-69.html addresses the vulnerability and directs administrators to apply the fixes released for affected Experience Manager installations.

EPSS remains flat at 0.0536 with no material increase since disclosure.

EU & UK References

Vulnerability details

Adobe Experience Manager versions 6.5.21 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute arbitrary code in the context of the victim's browser session. By manipulating a…

more

DOM element through a crafted URL or user input, the attacker can inject malicious scripts that run when the page is rendered. This type of attack requires user interaction, as the victim would need to access a manipulated link or input data into a vulnerable page.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

DOM-based XSS enables arbitrary JS execution in victim browser via crafted URLs/links, directly facilitating drive-by compromise and client-side scripting.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-53963Same product: Adobe Experience Manager
CVE-2025-64539Same product: Adobe Experience Manager
CVE-2025-64538Same product: Adobe Experience Manager
CVE-2025-64537Same product: Adobe Experience Manager
CVE-2025-49533Same product: Adobe Experience Manager
CVE-2025-24416Same vendor: Adobe
CVE-2026-21361Same vendor: Adobe
CVE-2025-24410Same vendor: Adobe
CVE-2025-24415Same vendor: Adobe
CVE-2026-34686Same vendor: Adobe

Affected Assets

adobe
experience manager
≤ 6.5.22 · ≤ 2024.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely application of vendor patches directly remediates the DOM-based XSS vulnerability in Adobe Experience Manager as specified in the security bulletin.

prevent

Output filtering and encoding prevents malicious scripts from being rendered executable in the victim's browser when processing user inputs or URLs.

prevent

Input validation restricts crafted URLs and user inputs that could manipulate DOM elements to inject malicious scripts.

References