5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
25.3%
Core Components version 2.20.6 (and earlier) suffer from a reflected cross-site scripting (XSS) vulnerability in AdaptiveImageServlet
via SVG images. An attacker with author access can upload a special crafted SVG image (including a malicious Javascript) and obtain a link that, when loaded by another authenticated users, will execute the malicious script and gain access to other user’s session. The issue has been resolved in 2.20.8. There are currently no known workarounds.
CPE | Name | Operator | Version |
---|---|---|---|
com.adobe.cq:core.wcm.components.core | lt | 2.20.8 |