Platform
adobe
Component
adobe-connect
Fixed in
11.4.8
CVE-2024-54034 describes a reflected Cross-Site Scripting (XSS) vulnerability affecting Adobe Connect versions 12.6, 11.4.7, and earlier. Successful exploitation allows an attacker to inject malicious JavaScript code into a victim's browser, potentially leading to session hijacking and data compromise. Affected versions include all releases from 0 through 11.4.7; upgrading to version 12.6 resolves the issue.
This XSS vulnerability poses a significant risk because it allows attackers to execute arbitrary JavaScript code within the context of a victim's Adobe Connect session. An attacker could craft a malicious URL and trick a user into clicking it, leading to the execution of the attacker's code. This could result in the attacker gaining control of the user's session, allowing them to access sensitive information, modify data, or perform actions on behalf of the victim. The high CVSS score reflects the potential for significant confidentiality and integrity impact, as session takeover is a serious security concern. The impact is amplified in environments where Adobe Connect is used for sensitive training or collaboration, as attackers could potentially intercept and manipulate communications.
CVE-2024-54034 was publicly disclosed on December 10, 2024. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation associated with reflected XSS vulnerabilities means it is likely to be targeted. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are expected to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
1.31% (80% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-54034 is to upgrade Adobe Connect to version 12.6 or later, which contains the fix. If immediate upgrading is not possible, consider implementing strict input validation and output encoding on all user-supplied data to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Review Adobe Connect's access controls to limit who can access vulnerable pages. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into a URL and confirming that it is properly sanitized and does not execute.
Update Adobe Connect to version 12.6 or later. Consult the Adobe security bulletin for more details and specific upgrade instructions. This will resolve the reflected XSS vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-54034 is a critical reflected Cross-Site Scripting (XSS) vulnerability in Adobe Connect versions 0–11.4.7, allowing attackers to execute malicious JavaScript code.
If you are using Adobe Connect versions 0 through 11.4.7, you are potentially affected by this vulnerability. Upgrade to version 12.6 or later to mitigate the risk.
The recommended fix is to upgrade Adobe Connect to version 12.6 or later. Implement input validation and WAF rules as interim measures.
While no active exploitation campaigns have been publicly confirmed, the ease of exploitation makes it a likely target. Monitor your systems closely.
Refer to the official Adobe Security Bulletin for details: [https://www.adobe.com/security/advisories/CVE-2024-54034.htm](https://www.adobe.com/security/advisories/CVE-2024-54034.htm)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.