Documentation

Stored Cross-Site Scripting (XSS) vulnerabilities in AEM 6.5.21

Last update: Tue May 27 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

A security vulnerability,  CVE-2024-43726, characterized as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) was identified in Adobe Experience Manager (AEM) version 6.5.21 and earlier. This vulnerability allows attackers to inject malicious scripts into vulnerable form fields, which can then be executed in the context of an unsuspecting user’s browser.

To mitigate the risk associated with the XSS vulnerability, ensure that your AEM environment is updated with the appropriate service pack, SP 19 or later.

Description description

Environment

Adobe Experience Manager (AEM), version 6.5.21 and earlier

Issue/Symptoms

  • A stored XSS vulnerability CVE-2024-43726 (as reported in VULN-25641) was detected in AEM versions up to 6.5.21.
  • The vulnerability allows for the injection of malicious scripts via form fields, which are then stored and executed when accessed by other users.
  • This vulnerability poses a serious threat in environments that handle sensitive data or involve frequent user interaction.

Root Cause

The issue, initially linked to an Adobe Commerce feature like catalog creation, was actually caused by the Move Page Wizard located at: /libs/wcm/core/content/sites/movepagewizard.html

This component is integral to the sites administration and console, highlighting a broader impact beyond the initial Commerce context.

Although the bug surfaced during a Commerce-related task, that was just one way to trigger it. Note that Adobe Commerce was removed and has been replaced by the Commerce Integration Framework (CIF) in AEM 6.5 Service Pack 22 (SP 22) and onwards.

Note: CVE-2024-43726 was reported around the same time as  CVE-2023-48580, both indicating a title-based XSS vulnerability in the Move Page Wizard. Since CVE-2023-48580 was already resolved (as part of VULN-25645, specifically in NPR-41164) in AEM 6.5 Service Pack 19, and both share the same root issue, the fix also applies to CVE-2024-43726.

Resolution resolution

The fix for  CVE-2024-43726  is included in the content package cq-ui-wcm-admin-content-1.1.138 as part of NPR-41164. It was merged into AEM 6.5 Service Pack 19 (SP 19), released on September 25, 2023.

No additional hotfix is required for CVE-2024-43726  as it shares the same vulnerability as  CVE-2023-48580 which was already resolved in SP 19. Regardless of what is in the security bulletin, the fix for  CVE-2024-43726  is available in SP 19 and should not be of concern in SP 21.

To ensure your system is protected:

  • Confirm that your environment is running AEM 6.5 Service Pack 19 (SP19) or later.
  • If not, upgrade to at least SP 19 to ensure the fix is applied. No additional hotfix is required if SP 19 or later is installed.
  • It is recommended to upgrade to SP 22 when feasible, as it includes further updates and improvements beyond the fix for this specific vulnerability.

Keeping your AEM environment updated with the latest service pack mitigates the risk from this XSS vulnerability without requiring further patches.

Related reading

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f