CVE-2024-52850: 
Adobe Experience Manager vulnerability analysis and mitigation

CVE-2024-52850 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.21 and earlier. The vulnerability was disclosed on December 10, 2024, and received a CVSS v3.1 base score of 5.4 (Medium severity) (NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and allows attackers to inject malicious scripts into vulnerable form fields. When a victim browses to a page containing the compromised field, the malicious JavaScript code can be executed within the context of their browser session. The vulnerability requires low attack complexity but does need low privileges and user interaction to be exploited, as reflected in the CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

If successfully exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code in victims' browsers when they visit affected pages. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks within the context of the affected AEM installation (CIS Advisory).

Users are advised to update their Adobe Experience Manager installations to versions after 6.5.21 to address this vulnerability. For AEM Cloud Service users, updating to version 2024.11.0 or later is recommended (NVD).