CVE-2020-9743
10.09.2020, 17:15
AEM versions 6.5.5.0 (and below), 6.4.8.1 (and below), 6.3.3.8 (and below) and 6.2 SP1-CFP20 (and below) are affected by an HTML injection vulnerability in the content editor component that allows unauthenticated users to craft an HTTP request that includes arbitrary HTML code in a parameter value. An attacker could then use the malicious GET request to lure victims to perform unsafe actions in the page (ex. phishing).
| Vendor | Product | Version |
|---|---|---|
| adobe | experience_manager | 6.3.0.0 ≤ 𝑥 ≤ 6.3.3.8 |
| adobe | experience_manager | 6.4.0.0 ≤ 𝑥 ≤ 6.4.8.1 |
| adobe | experience_manager | 6.5.0.0 ≤ 𝑥 ≤ 6.5.5.0 |
| adobe | experience_manager | 6.2.0.0:sp1 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp1 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp10 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp11 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp12.1 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp13 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp14 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp15 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp16 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp17 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp18 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp19 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp2 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp20 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp3 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp4 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp5 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp6 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp7 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp8 |
| adobe | experience_manager | 6.2.0.0:sp1-cfp9 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-20 - Improper Input ValidationThe product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.