CVE-2024-52865: 
Adobe Experience Manager vulnerability analysis and mitigation

CVE-2024-52865 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager versions 6.5.21 and earlier. The vulnerability was discovered and disclosed in December 2024, with Adobe releasing security updates to address the issue. The vulnerability specifically affects the form fields functionality within Adobe Experience Manager (NVD).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability with a CVSS v3.1 base score of 5.4 (Medium). The attack vector is characterized as network-accessible (AV:N), requiring low attack complexity (AC:L), privileged access (PR:L), user interaction (UI:R), with changed scope (S:C), and low impacts to confidentiality and integrity (C:L, I:L) with no impact to availability (A:N). The vulnerability is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

If successfully exploited, this vulnerability allows privileged attackers to inject malicious scripts into vulnerable form fields. When victims browse to pages containing the compromised fields, the malicious JavaScript code executes in their browsers, potentially leading to unauthorized data access or manipulation within the context of the user's session (NVD).

Adobe has addressed this vulnerability in Experience Manager versions after 6.5.21. Organizations using affected versions should upgrade to the latest version to mitigate this security risk (Adobe Advisory).