CVE-2023-22254 — Cross-site Scripting in Adobe Experience Manager

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.8%

top 25.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Adobe Experience Manager Adobe Experience Manager Cloud Service

Timeline

PublishedMar 22

Description

Experience Manager versions 6.5.15.0 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If a low-privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶NVDadobe/experience_manager< 6.5.16.0

▶NVDadobe/experience_manager_cloud_service< 2023.1.0

▶CVEListV5adobe/experience_managerunspecified — 6.5.15.0+1

🔴Vulnerability Details

CVEList

AEM Reflected XSS Arbitrary code execution↗2023-03-22

▶

GHSA

GHSA-w629-xc8x-7g3v: Experience Manager versions 6↗2023-03-22

▶