CVE-2022-24874 in ACS Commons
Summary
by MITRE • 04/21/2022
acs commons is an open source framework for AEM projects. ACS Commons version 5.1.x (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in /apps/acs-commons/content/page-compare.html` endpoint via the `a` and `b` GET parameters. User input submitted via these parameters is not validated or sanitized. An attacker must provide a link to someone with access to AEM Author, and could potentially exploit this vulnerability to inject malicious JavaScript content into vulnerable form fields and execute it within the context of the victim's browser. The exploitation of this issue requires user interaction in order to be successful. This issue has been resolved in 5.2.0. There are no known workarounds for this issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/27/2022
The CVE-2022-24874 vulnerability affects ACS Commons, a widely-used open-source framework for Adobe Experience Manager (AEM) projects that provides various out-of-the-box functionalities to accelerate AEM development. This particular vulnerability resides within the page-compare endpoint at /apps/acs-commons/content/page-compare.html which is designed to facilitate comparison between different AEM pages. The flaw represents a classic reflected cross-site scripting vulnerability that impacts version 5.1.x and earlier releases of the framework, making it a significant security concern for organizations relying on this component for their AEM implementations.
The technical flaw stems from inadequate input validation and sanitization within the application's handling of GET parameters named 'a' and 'b' in the page-compare endpoint. When users submit data through these parameters, the system fails to properly validate or sanitize the input before processing it, creating an opportunity for malicious actors to inject arbitrary JavaScript code. This vulnerability is categorized as CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') which is one of the most prevalent and well-documented web application security flaws. The reflected nature of this vulnerability means that malicious payloads are reflected back to the user through the web application's response, making it particularly dangerous as it can be executed in the victim's browser context without requiring persistent storage of the malicious code.
The operational impact of this vulnerability is substantial as it enables attackers to perform user interaction-based exploitation, requiring victims with access to AEM Author environments to click on malicious links. This attack vector creates a scenario where an attacker could craft specially formatted URLs containing malicious JavaScript payloads that, when clicked by an authenticated AEM author, would execute within the victim's browser session. The consequences extend beyond simple script execution as attackers could potentially leverage this vulnerability to steal session cookies, perform unauthorized actions within the AEM environment, or escalate privileges. The requirement for user interaction makes this vulnerability less automated than server-side vulnerabilities but still represents a significant risk in environments where users frequently click on links from external sources or where social engineering attacks are common.
The vulnerability has been successfully addressed in ACS Commons version 5.2.0 through proper input validation and sanitization mechanisms that ensure all user-supplied parameters are properly filtered before being processed or rendered in the web response. Organizations using affected versions should immediately upgrade to the patched release to mitigate this risk. The lack of known workarounds for this issue emphasizes the importance of timely patch management and proper security hygiene in AEM environments. From an ATT&CK framework perspective, this vulnerability maps to T1566 - Phishing and T1203 - Exploitation for Client Execution, demonstrating how web application vulnerabilities can be leveraged to establish initial access and execute malicious code within target environments. Security teams should implement monitoring for suspicious requests to the page-compare endpoint and consider network-level controls to prevent exploitation attempts while ensuring proper patch deployment across all AEM environments.