cbcvebase.
CVE-2021-40722
published 2022-01-13

CVE-2021-40722: AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.27%
86.9th percentile
AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be abused by an attacker to achieve RCE.

Affected

2 ranges
VendorProductVersion rangeFixed in
adobeexperience_manager<= 6.5.10.0
adobeexperience_managerunspecified – 6.5.10.0

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability class is XML External Entity (XXE) injection in AEM Forms; monitor for XXE payloads (e.g., DOCTYPE/ENTITY declarations) in XML submitted to AEM Forms endpoints
  • Target products: AEM Forms Cloud Service and AEM Forms version 6.5.10.0 and below; ensure WAF/IDS rules inspect XML input to these specific product versions
  • ·Vendor advisory for patch details and affected version scope is referenced; consult for full remediation guidance

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.