Skip to content

Reflected Cross-site Scripting in ACS Commons

High severity GitHub Reviewed Published Feb 1, 2021 in Adobe-Consulting-Services/acs-aem-commons • Updated Feb 1, 2023

Package

maven com.adobe.acs:acs-aem-commons (Maven)

Affected versions

< 4.10.0

Patched versions

4.10.0

Description

Impact

ACS Commons version 4.9.2 (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in version-compare and page-compare due to invalid JCR characters that are not handled correctly.

An attacker could potentially exploit this vulnerability to inject malicious JavaScript content into vulnerable form fields and execute it within the context of the victim's browser. Exploitation of this issue requires user interaction in order to be successful.

Patches

This issue has been resolved in v4.10.0

Workarounds

No workaround exist.

References

N/A

For more information

If you have any questions or comments about this advisory open an issue in acs-aem-commons.

Credit

This issue was discovered and reported by Christopher Whipp (Christopher.Whipp@servicesaustralia.gov.au).

References

Reviewed Feb 2, 2021
Published to the GitHub Advisory Database Feb 2, 2021
Published by the National Vulnerability Database Feb 11, 2021
Last updated Feb 1, 2023

Severity

High

EPSS score

0.931%
(83rd percentile)

CVE ID

CVE-2021-21028

GHSA ID

GHSA-f92j-qf46-p6vm

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.