CVE-2021-21028: Reflected Cross-site Scripting in ACS Commons
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.9523%
CWE
Published
2/2/2021
Updated
2/1/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
com.adobe.acs:acs-aem-commons | maven | < 4.10.0 | 4.10.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The commit diff shows the vulnerability was patched by adding XSS encoding via xss:encodeForJSString
to these JSP files' ng-init directives. Before patching, user-controlled JCR paths were directly interpolated into JavaScript contexts without proper sanitization, making these template rendering points vulnerable to reflected XSS through malicious path parameters.