CVE-2024-53966: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager (AEM) versions 6.5.21 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-53966. The vulnerability was disclosed on February 4, 2025, affecting both AEM 6.5.x versions up to 6.5.21 and AEM Cloud Service versions prior to 2024.11.0 (NVD, Adobe Advisory).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue (CWE-79) that allows low-privileged attackers to inject malicious scripts into vulnerable form fields. The severity is rated as MEDIUM with a CVSS v3.1 base score of 5.4 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) (NVD).

When exploited, the vulnerability allows malicious JavaScript code to be executed in a victim's browser when they browse to the page containing the vulnerable field. This can lead to potential compromise of user session data and unauthorized actions performed in the context of the affected user's browser (NVD).

Users should upgrade to Adobe Experience Manager version 6.5.22 or later, or AEM Cloud Service version 2024.11.0 or later to address this vulnerability (NVD).