CVE-2021-40722
published 2022-01-13CVE-2021-40722: AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.27%
86.9th percentile
AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be abused by an attacker to achieve RCE.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | experience_manager | <= 6.5.10.0 | — |
| adobe | experience_manager | unspecified – 6.5.10.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability class is XML External Entity (XXE) injection in AEM Forms; monitor for XXE payloads (e.g., DOCTYPE/ENTITY declarations) in XML submitted to AEM Forms endpoints ↗
- →Target products: AEM Forms Cloud Service and AEM Forms version 6.5.10.0 and below; ensure WAF/IDS rules inspect XML input to these specific product versions ↗
- ·Vendor advisory for patch details and affected version scope is referenced; consult for full remediation guidance ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2022-01-13
Published