CVE-2022-28820: Page Compare Reflected Cross-site Scripting (XSS) vulnerability
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.78539%
CWE
Published
4/26/2022
Updated
1/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
com.adobe.acs:acs-aem-commons | maven | < 5.2.0 | 5.2.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unsanitized reflection of 'a' and 'b' parameters in the page-compare.html
endpoint. In AEM implementations, JSPs/Servlets handling these parameters would typically use request.getParameter()
and directly output values. The advisory confirms lack of validation
/sanitization, indicating the parameter handling code in the page comparison component directly injects user input into HTML responses without escaping.