CVE-2021-40722 — XML External Entity (XXE) Injection in Adobe Experience Manager

CWE-611 — XML External Entity (XXE) Injection3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

1.0%

top 22.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Adobe Experience Manager

Timeline

PublishedJan 13

Latest updateJan 14

Description

AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be abused by an attacker to achieve RCE.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5adobe/experience_managerunspecified — 6.5.10.0

▶NVDadobe/experience_manager6.5.10.0

🔴Vulnerability Details

GHSA

GHSA-7h8f-9m99-6cfg: AEM Forms Cloud Service offering, as well as version 6↗2022-01-14

▶

💬Community

HackerOne

AEM forms XXE Vulnerability↗2022-01-13

▶