CVE-2022-35697 – com.adobe.cq:core.wcm.components.core

Package

Manager: maven
Name: com.adobe.cq:core.wcm.components.core
Vulnerable Version: >=0 <2.20.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00379 pctl0.58612

Details

AEM WCM Core Components CVG Image vulnerable to Reflected Cross-site Scripting Core Components version 2.20.6 (and earlier) suffer from a reflected cross-site scripting (XSS) vulnerability in `AdaptiveImageServlet` via SVG images. An attacker with author access can upload a special crafted SVG image (including a malicious Javascript) and obtain a link that, when loaded by another authenticated users, will execute the malicious script and gain access to other user's session. The issue has been resolved in 2.20.8. There are currently no known workarounds.

Metadata

Created: 2022-08-11T15:57:01Z
Modified: 2022-08-11T15:57:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-qcgc-6q86-7x2p/GHSA-qcgc-6q86-7x2p.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-qcgc-6q86-7x2p
Finding: F008
Auto approve: 1