CVE-2022-28820

Name of the Vulnerable Software and Affected Versions ACS Commons versions 5.1.x and earlier

Description The issue is a Reflected Cross-site Scripting (XSS) vulnerability in the "/apps/acs-commons/content/page-compare.html" endpoint via the a and b GET parameters. User input submitted via these parameters is not validated or sanitized. An attacker must provide a link to someone with access to AEM Author, and could potentially exploit this vulnerability to inject malicious JavaScript content into vulnerable form fields and execute it within the context of the victim's browser. The exploitation of this issue requires user interaction in order to be successful.

Recommendations For ACS Commons versions 5.1.x and earlier, update to version 5.2.0 to resolve the issue. As a temporary workaround, consider restricting access to the "/apps/acs-commons/content/page-compare.html" endpoint and avoiding the use of the a and b GET parameters until the update is applied.