CVE-2022-28820
Adobe Consulting Services Reflected Cross-Site Scripting Arbitrary Code Execution
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.1EPSS 1.0%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
21 Apr 2022Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
ACS Commons version 5.1.x (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in /apps/acs-commons/content/page-compare.html endpoint via the a and b GET parameters. User input submitted via these parameters is not validated or sanitised. An attacker must provide a link to someone with access to AEM Author, and could potentially exploit this vulnerability to inject malicious JavaScript content into vulnerable form fields and execute it within the context of the victim's browser. The exploitation of this issue requires user interaction in order to be successful.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
Adobe · Experience Manager