Platform
adobe
Component
adobe-connect
Fixed in
11.4.8
CVE-2024-54032 describes a stored Cross-Site Scripting (XSS) vulnerability in Adobe Connect. This vulnerability allows attackers to inject malicious scripts into vulnerable form fields, potentially leading to session takeover and compromising user data. The vulnerability affects versions 0 through 11.4.7 of Adobe Connect, and a fix is available in version 12.6.
The impact of this XSS vulnerability is significant. An attacker who successfully exploits this flaw can inject arbitrary JavaScript code into a victim's browser. This malicious script can then be executed when a user visits the affected page. The consequences can range from stealing session cookies to performing actions on behalf of the user, effectively granting the attacker control over the user's account. The description explicitly mentions session takeover, indicating a high level of confidentiality and integrity impact. This is similar in impact to other XSS vulnerabilities that have led to account compromise and data breaches.
CVE-2024-54032 was publicly disclosed on December 10, 2024. As of this date, there is no indication of active exploitation in the wild or listing on CISA KEV. Public proof-of-concept exploits are not yet widely available, but the vulnerability's severity and ease of exploitation suggest it could become a target for attackers. The NVD entry provides further details and potential attack vectors.
Exploit Status
EPSS
1.39% (80% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-54032 is to upgrade to Adobe Connect version 12.6 or later, which contains the fix. If upgrading immediately is not possible, consider implementing temporary workarounds. Input validation and sanitization on all user-supplied data within Adobe Connect forms is crucial. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update Adobe Connect's security configuration to minimize the attack surface. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload into a vulnerable form field and verifying that it is not executed.
Update Adobe Connect to version 12.6 or later. This update fixes the stored XSS vulnerability. See the Adobe security bulletin for more details and specific instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-54032 is a stored Cross-Site Scripting (XSS) vulnerability in Adobe Connect allowing attackers to inject malicious scripts into form fields, potentially leading to session takeover.
You are affected if you are using Adobe Connect versions 0 through 11.4.7. Upgrade to version 12.6 or later to mitigate the risk.
Upgrade to Adobe Connect version 12.6 or later. Implement input validation and sanitization as a temporary workaround if immediate upgrade is not possible.
As of December 10, 2024, there is no confirmed evidence of active exploitation in the wild, but the vulnerability's severity suggests it could become a target.
Refer to the official Adobe Security Bulletin for CVE-2024-54032: [https://www.adobe.com/security/advisories/AdobeConnect.txt](https://www.adobe.com/security/advisories/AdobeConnect.txt)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.