CVE-2020-9743
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
10/09/2020
Last modified:
14/09/2021
Description
AEM versions 6.5.5.0 (and below), 6.4.8.1 (and below), 6.3.3.8 (and below) and 6.2 SP1-CFP20 (and below) are affected by an HTML injection vulnerability in the content editor component that allows unauthenticated users to craft an HTTP request that includes arbitrary HTML code in a parameter value. An attacker could then use the malicious GET request to lure victims to perform unsafe actions in the page (ex. phishing).
Impact
Base Score 3.x
6.10
Severity 3.x
MEDIUM
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:adobe:experience_manager:*:*:*:*:*:*:*:* | 6.3.0.0 (including) | 6.3.3.8 (including) |
| cpe:2.3:a:adobe:experience_manager:*:*:*:*:*:*:*:* | 6.4.0.0 (including) | 6.4.8.1 (including) |
| cpe:2.3:a:adobe:experience_manager:*:*:*:*:*:*:*:* | 6.5.0.0 (including) | 6.5.5.0 (including) |
| cpe:2.3:a:adobe:experience_manager:6.2.0.0:sp1:*:*:*:*:*:* | ||
| cpe:2.3:a:adobe:experience_manager:6.2.0.0:sp1-cfp1:*:*:*:*:*:* | ||
| cpe:2.3:a:adobe:experience_manager:6.2.0.0:sp1-cfp10:*:*:*:*:*:* | ||
| cpe:2.3:a:adobe:experience_manager:6.2.0.0:sp1-cfp11:*:*:*:*:*:* | ||
| cpe:2.3:a:adobe:experience_manager:6.2.0.0:sp1-cfp12.1:*:*:*:*:*:* | ||
| cpe:2.3:a:adobe:experience_manager:6.2.0.0:sp1-cfp13:*:*:*:*:*:* | ||
| cpe:2.3:a:adobe:experience_manager:6.2.0.0:sp1-cfp14:*:*:*:*:*:* | ||
| cpe:2.3:a:adobe:experience_manager:6.2.0.0:sp1-cfp15:*:*:*:*:*:* | ||
| cpe:2.3:a:adobe:experience_manager:6.2.0.0:sp1-cfp16:*:*:*:*:*:* | ||
| cpe:2.3:a:adobe:experience_manager:6.2.0.0:sp1-cfp17:*:*:*:*:*:* | ||
| cpe:2.3:a:adobe:experience_manager:6.2.0.0:sp1-cfp18:*:*:*:*:*:* | ||
| cpe:2.3:a:adobe:experience_manager:6.2.0.0:sp1-cfp19:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page