CVE-2024-53963

Adobe Experience Manager versions 6.5.21 and earlier are affected by CVE-2024-53963, a DOM-based Cross-Site Scripting (XSS) vulnerability classified under CWE-79. This flaw allows attackers to manipulate DOM elements through crafted URLs or user input, injecting malicious scripts that execute in the context of the victim's browser session when the page is rendered. The vulnerability has a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, low privileges required, user interaction needed, changed scope, and low impacts to confidentiality and integrity.

A low-privileged attacker can exploit this vulnerability by tricking a victim into accessing a manipulated link or submitting data into a vulnerable page, requiring user interaction for success. Upon exploitation, the attacker achieves execution of arbitrary code within the victim's browser session, potentially leading to session hijacking, data theft, or further phishing attacks in the context of the affected Adobe Experience Manager instance.

Adobe has addressed this issue in security bulletin APSB24-69, available at https://helpx.adobe.com/security/products/experience-manager/apsb24-69.html, which provides details on patches and mitigation steps for affected versions.