平台
adobe
组件
adobe-experience-manager
修复版本
6.5.7
CVE-2020-24445 describes a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM). This vulnerability allows attackers to inject malicious scripts into vulnerable form fields within AEM, potentially leading to the execution of arbitrary JavaScript in a victim's browser. The vulnerability impacts AEM Cloud Service and versions 6.5.6.0 and earlier. Adobe has released patches to address this issue.
Successful exploitation of CVE-2020-24445 allows an attacker to inject arbitrary JavaScript code into AEM pages. When a user visits a page containing the injected script, the malicious code will execute within their browser context. This could lead to various attacks, including session hijacking, credential theft, defacement of the website, and redirection to malicious sites. The impact is particularly severe because XSS vulnerabilities can be exploited without requiring authentication, potentially affecting all users of the affected AEM instance. The stored nature of the XSS means the injected script persists until removed, allowing for repeated exploitation.
CVE-2020-24445 was publicly disclosed on December 10, 2020. While no active exploitation campaigns have been definitively linked to this specific CVE, XSS vulnerabilities are frequently targeted. The CVSS score of 9.0 (CRITICAL) indicates a high level of severity. No KEV listing is currently available.
Organizations using Adobe Experience Manager Cloud Service or versions 6.5.6.0 and earlier are at risk. This includes businesses relying on AEM for content management, digital asset management, and website personalization. Shared hosting environments utilizing AEM are particularly vulnerable, as a compromised tenant could potentially inject malicious scripts affecting other tenants.
• adobe: Examine AEM logs for unusual JavaScript execution patterns or suspicious form submissions. Look for POST requests containing <script> tags or event handlers.
Get-WinEvent -LogName Application -FilterXPath "*[System[Provider[@Name='AEM']]] and Event[Level='Error']" | Select-String -Pattern '<script>' -Context 2,2• generic web: Monitor access logs for requests containing suspicious characters or patterns commonly associated with XSS attacks (e.g., <script>, onerror=, javascript:).
grep -i '<script>' /var/log/apache2/access.logdisclosure
漏洞利用状态
EPSS
0.44% (63% 百分位)
CVSS 向量
The primary mitigation for CVE-2020-24445 is to upgrade to a patched version of Adobe Experience Manager. Adobe recommends upgrading to a version that includes the fix for this vulnerability. If immediate upgrade is not possible, consider implementing input validation and output encoding on all user-supplied data to prevent malicious scripts from being injected. Web Application Firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. Carefully review and sanitize all form fields and user input within AEM.
Actualice Adobe Experience Manager a la última versión disponible. Esto solucionará la vulnerabilidad XSS almacenada en la función de comentarios.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2020-24445 is a critical stored Cross-Site Scripting (XSS) vulnerability in Adobe Experience Manager (AEM) affecting Cloud Service and versions <= 6.5.6.0, allowing attackers to inject malicious scripts.
If you are using Adobe Experience Manager Cloud Service or a version prior to 6.5.6.0, you are potentially affected by this vulnerability. Check your AEM version and apply the necessary patches.
The recommended fix is to upgrade to a patched version of Adobe Experience Manager that includes the security update. Consult Adobe's security advisories for details.
While no confirmed active exploitation campaigns have been publicly linked, XSS vulnerabilities are frequently targeted, so proactive mitigation is essential.
Refer to the Adobe Security Bulletin for CVE-2020-24445: https://www.adobe.com/security/advisories/adv20-3861.html