Miggo Logo

CVE-2022-28820: Page Compare Reflected Cross-site Scripting (XSS) vulnerability

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.78539%
Published
4/26/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.adobe.acs:acs-aem-commonsmaven< 5.2.05.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized reflection of 'a' and 'b' parameters in the page-compare.html endpoint. In AEM implementations, JSPs/Servlets handling these parameters would typically use request.getParameter() and directly output values. The advisory confirms lack of validation/sanitization, indicating the parameter handling code in the page comparison component directly injects user input into HTML responses without escaping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t **S *ommons v*rsion *.*.x (*n* **rli*r) su***rs *rom * R**l**t** *ross-sit* S*riptin* (XSS) vuln*r**ility in `/*pps/**s-*ommons/*ont*nt/p***-*omp*r*.*tml` *n*point vi* t** `*` *n* `*` **T p*r*m*t*rs. Us*r input su*mitt** vi* t**s* p*r*m*t

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** r**l**tion o* '*' *n* '*' p*r*m*t*rs in t** `p***-*omp*r*.*tml` *n*point. In **M impl*m*nt*tions, JSPs/S*rvl*ts **n*lin* t**s* p*r*m*t*rs woul* typi**lly us* `r*qu*st.**tP*r*m*t*r()` *n* *ir**tly output v*lu*s