Platform
adobe
Component
adobe-connect
Fixed in
11.4.8
CVE-2024-54036 describes a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Connect versions 12.6, 11.4.7, and earlier. Successful exploitation allows an attacker to inject malicious scripts into vulnerable form fields, potentially leading to session takeover and compromising user data. Affected versions include 0 through 11.4.7, and a fix is available in version 12.6.
This XSS vulnerability poses a significant risk to Adobe Connect users. An attacker can inject malicious JavaScript code into vulnerable form fields within the application. When a user accesses a page containing this injected script, their browser will execute it, potentially granting the attacker control over their session. This can lead to unauthorized access to sensitive data, modification of user profiles, or even complete account takeover. The high confidentiality and integrity impact stems from the potential for session hijacking and subsequent malicious actions performed under the victim's identity. The attack surface is broad, encompassing any form field susceptible to script injection.
CVE-2024-54036 was publicly disclosed on December 10, 2024. The vulnerability's criticality (CVSS 9.3) indicates a high probability of exploitation. While no public proof-of-concept (PoC) code has been widely reported, the ease of XSS exploitation suggests that it could be quickly leveraged in attacks. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting Adobe Connect.
Exploit Status
EPSS
1.31% (80% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-54036 is to upgrade Adobe Connect to version 12.6 or later, which contains the fix. If immediate upgrading is not feasible, consider implementing temporary workarounds. Input validation and sanitization on all user-supplied data within Adobe Connect forms can help reduce the attack surface. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update Adobe Connect's security configuration to ensure best practices are followed. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple script into a form field and verifying that it is not executed.
Update Adobe Connect to version 12.6 or later. This update fixes the stored XSS vulnerability that allows for the injection of malicious scripts. See the Adobe security bulletin for more details and specific upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-54036 is a critical stored Cross-Site Scripting (XSS) vulnerability in Adobe Connect versions 0–11.4.7, allowing attackers to inject malicious scripts.
If you are using Adobe Connect versions 12.6, 11.4.7, or earlier, you are potentially affected by this vulnerability.
Upgrade Adobe Connect to version 12.6 or later to resolve the vulnerability. Consider input validation as a temporary workaround.
While no widespread exploitation has been confirmed, the vulnerability's criticality suggests a high probability of exploitation.
Refer to the official Adobe Security Bulletin for CVE-2024-54036: [https://www.adobe.com/security/advisories/AdobeConnect.txt](https://www.adobe.com/security/advisories/AdobeConnect.txt)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.