CVE-2022-35697

Name of the Vulnerable Software and Affected Versions Adobe Experience Manager Core Components versions 2.20.6 and earlier

Description The issue is related to a reflected Cross-Site Scripting (XSS) vulnerability, which may allow an attacker to execute malicious JavaScript content within the context of a victim's browser. This can happen if the attacker convinces the victim to visit a URL referencing a vulnerable page. Exploitation of this issue requires low author privilege access. The vulnerability is also related to insufficient protection of the web page structure, which may allow a remote attacker to execute arbitrary code.

Recommendations For versions 2.20.6 and earlier, update to version 2.20.8 to resolve the issue. As a temporary workaround, consider restricting access to the AdaptiveImageServlet to minimize the risk of exploitation. Avoid allowing authors to upload specially crafted SVG images that include malicious JavaScript until the issue is resolved.