CVE-2024-26095: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager (AEM) versions 6.5.20 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was disclosed on June 13, 2024, and was assigned CVE-2024-26095. This security flaw affects both the on-premise installations of AEM 6.5.20 and earlier versions, as well as AEM Cloud Service versions up to 2024.5 (Adobe Advisory).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue (CWE-79) with a CVSS v3.1 base score of 5.4 (Medium). The vulnerability has the following vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating that it requires network access, low attack complexity, low privileges, and user interaction, with potential impact on confidentiality and integrity (NVD).

When exploited, this vulnerability allows attackers to inject malicious scripts into vulnerable form fields. When victims browse to pages containing these compromised fields, the malicious JavaScript code executes in their browsers, potentially leading to unauthorized data access or manipulation of the user's browser session (Adobe Advisory).

Adobe has addressed this vulnerability by releasing updated versions of the affected software. Users are advised to upgrade to AEM version 6.5.21 or later for on-premise installations, or ensure their AEM Cloud Service is updated to version 2024.5 or later (Adobe Advisory).