CVE-2022-28820Cross-site Scripting in Adobe ACS AEM Commons

CWE-79Cross-site Scripting3 documents3 sources
Severity
6.1MEDIUMNVD
EPSS
1.3%
top 20.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Adobe ACS AEM CommonsAdobe Experience Manager
Timeline
PublishedApr 21
Latest updateApr 26

Description

ACS Commons version 5.1.x (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in /apps/acs-commons/content/page-compare.html endpoint via the a and b GET parameters. User input submitted via these parameters is not validated or sanitised. An attacker must provide a link to someone with access to AEM Author, and could potentially exploit this vulnerability to inject malicious JavaScript content into vulnerable form fields and execute it within the context of the victim

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5adobe/experience_managerunspecified5.1.x

🔴Vulnerability Details

2
OSV
Page Compare Reflected Cross-site Scripting (XSS) vulnerability2022-04-26
GHSA
Page Compare Reflected Cross-site Scripting (XSS) vulnerability2022-04-26
CVE-2022-28820 — Cross-site Scripting in Adobe | cvebase