CVE-2024-52860: 
Adobe Experience Manager vulnerability analysis and mitigation

CVE-2024-52860 is a DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager versions 6.5.21 and earlier. The vulnerability was discovered and disclosed on December 10, 2024, and affects both the standard AEM installations and AEM Cloud Service deployments (NVD, Adobe Advisory).

The vulnerability allows an attacker to execute arbitrary code in the context of the victim's browser session by manipulating DOM elements through crafted URLs or user input. The malicious scripts are executed when the affected page is rendered. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity, requiring low privileges and user interaction (NVD).

If successfully exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of the victim's browser session. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks within the scope of the affected Adobe Experience Manager installation (NVD).

Adobe has released security updates to address this vulnerability. Users are advised to update to the latest version of Adobe Experience Manager. For AEM 6.5, update to version 6.5.22.0 or later, and for AEM Cloud Service, update to version 2024.11.0 or later (Adobe Advisory).