CVE-2020-9732Cross-site Scripting in Adobe Experience Manager Forms

CWE-79Cross-site Scripting3 documents3 sources
Severity
9.0CRITICALNVD
EPSS
0.7%
top 27.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Adobe Experience ManagerAdobe Experience Manager Forms
Timeline
PublishedSep 10
Latest updateMay 24

Description

The AEM Forms add-on for versions 6.5.5.0 (and below) and 6.4.8.2 (and below) are affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Sites component. These scripts may be executed in a victim’s browser when they open the page containing the vulnerable field.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages3 packages

NVDadobe/experience_manager_forms6.4.8.1, 6.5.5.0+1
CVEListV5adobe/experience_managerunspecifiedForms SP5 add-on for AEM 6.5.5.0+2
NVDadobe/experience_manager6.3.0.06.3.3.8+3

Patches

Patch: helpx.adobe.comPatch: helpx.adobe.com

🔴Vulnerability Details

2
GHSA
GHSA-xmq3-w762-fqmr: The AEM Forms add-on for versions 62022-05-24
CVEList
Stored XSS in AEM Sites Components2020-09-10
CVE-2020-9732 — Cross-site Scripting in Adobe | cvebase