Headline
CVE-2022-35697: CVG Image Reflected Cross-site Scripting (XSS) vulnerability
Adobe Experience Manager Core Components version 2.20.6 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim’s browser. Exploitation of this issue requires a low author privilege access.
Impact
Core Components version 2.20.6 (and earlier) suffer from a Reflected Cross-site Scripting (XSS) vulnerability in AdaptiveImageServlet via SVG images. An attacker with author access can upload a special crafted SVG image (including a malicious Javascript) and obtain a link that, when loaded by another authenticated users, will execute the malicious script and gain access to other user’s session.
Patches
The issue has been resolved in 2.20.8.
Workarounds
None
References
N/A
For more information
If you have any questions or comments about this advisory:
- Open an issue in aem-core-wcm-components
Related news
Core Components version 2.20.6 (and earlier) suffer from a reflected cross-site scripting (XSS) vulnerability in `AdaptiveImageServlet` via SVG images. An attacker with author access can upload a special crafted SVG image (including a malicious Javascript) and obtain a link that, when loaded by another authenticated users, will execute the malicious script and gain access to other user's session. The issue has been resolved in 2.20.8. There are currently no known workarounds.