Plattform
adobe
Komponente
adobe-experience-manager
Behoben in
6.5.6
6.4.9
6.3.4
6.2.1
CVE-2020-9740 describes a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.5.0 and earlier, 6.4.8.1 and below, 6.3.3.8 and below, and 6.2 SP1-CFP20 and below. This vulnerability allows authenticated users with 'Author' privileges to inject malicious scripts into fields associated with the Design Importer feature. Successful exploitation can lead to the execution of arbitrary JavaScript code within a victim’s browser, potentially resulting in session hijacking, data theft, or defacement.
The impact of CVE-2020-9740 is significant due to the ease of exploitation and the potential for widespread impact. Attackers with 'Author' privileges, a relatively common role within AEM deployments, can leverage this vulnerability to inject malicious scripts. These scripts can then be stored within the AEM system and executed whenever a user views the affected page. This could allow an attacker to steal session cookies, redirect users to malicious websites, or even modify content on the AEM site. The stored nature of the XSS means that the malicious script persists until removed, allowing for repeated exploitation. Given AEM's role in many enterprise content management systems, a successful attack could compromise sensitive data and disrupt business operations.
CVE-2020-9740 was publicly disclosed on September 10, 2020. While no active exploitation campaigns have been definitively linked to this specific vulnerability, the ease of exploitation and the widespread use of AEM make it a potential target. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are available, demonstrating the feasibility of exploitation.
Organizations heavily reliant on Adobe Experience Manager for content management, particularly those with large numbers of users with 'Author' privileges, are at significant risk. Environments with legacy AEM configurations or those lacking robust input validation practices are especially vulnerable. Shared hosting environments utilizing AEM also present a heightened risk due to the potential for cross-tenant exploitation.
• linux / server:
journalctl -u adobe-aem -g 'Design Importer' | grep -i 'script' • generic web:
curl -I <aem_url>/design-importer/ | grep -i 'content-type: javascript'disclosure
patch
Exploit-Status
EPSS
0.48% (65% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2020-9740 is to upgrade to Adobe Experience Manager version 6.5.6 or later, which contains the fix. If an immediate upgrade is not possible, consider implementing temporary workarounds. Restrict access to the Design Importer feature to only authorized personnel. Implement strict input validation and sanitization on all user-supplied data within the Design Importer. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Monitor AEM logs for suspicious activity, particularly related to the Design Importer feature. After upgrading, confirm the vulnerability is resolved by attempting to inject a test script through the Design Importer and verifying that it is not executed.
Aktualisieren Sie Adobe Experience Manager auf eine Version, die neuer als 6.5.5.0, 6.4.8.1, 6.3.3.8 und 6.2 SP1-CFP20 ist. Dies behebt die gespeicherte XSS-Schwachstelle im Design Importer-Komponenten.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2020-9740 is a critical stored XSS vulnerability in Adobe Experience Manager versions 6.5.5.0 and below, allowing attackers with 'Author' privileges to inject malicious scripts.
You are affected if you are running Adobe Experience Manager versions 6.5.5.0, 6.4.8.1, 6.3.3.8, or 6.2 SP1-CFP20.
Upgrade to Adobe Experience Manager version 6.5.6 or later to remediate the vulnerability. Implement temporary workarounds if immediate upgrade is not possible.
While no confirmed active campaigns are publicly known, the vulnerability's ease of exploitation makes it a potential target.
Refer to the Adobe Security Bulletin for CVE-2020-9740: https://www.adobe.com/security/advisories/adv20009740.html
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.