Platform
java
Component
aem-forms
Fixed in
Forms SP5 add-on for AEM 6.5.5.0
Forms SP8 add-on for AEM 6.4.8.1
CVE-2020-9734 describes a stored Cross-Site Scripting (XSS) vulnerability within Adobe AEM Forms. This vulnerability allows authenticated users with 'Author' privileges to inject malicious scripts into fields associated with the Forms component. Successful exploitation can lead to the execution of arbitrary JavaScript code in the context of a victim's browser, potentially resulting in session hijacking, data theft, or defacement. The vulnerability impacts versions 6.5.5.0 and below, and 6.4.8.1 and below; Adobe has not released a fixed version.
The impact of CVE-2020-9734 is significant due to the potential for remote code execution within a user's browser. An attacker could leverage this vulnerability to steal sensitive information, such as session cookies, allowing them to impersonate legitimate users. They could also inject malicious content into the Forms page, redirecting users to phishing sites or delivering malware. Given the 'Author' privilege requirement, the attack would likely target users with elevated permissions within the AEM Forms environment, potentially granting access to broader systems and data. The stored nature of the XSS means the malicious script persists until removed, allowing for repeated exploitation.
CVE-2020-9734 was publicly disclosed on September 10, 2020. There is no indication of active exploitation campaigns at this time, but the vulnerability's CRITICAL severity and ease of exploitation make it a potential target. No public proof-of-concept (PoC) code has been widely released, but the XSS nature of the vulnerability suggests that developing a PoC would be relatively straightforward. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.48% (65% percentile)
CVSS Vector
As Adobe has not released a fixed version for CVE-2020-9734, mitigation strategies focus on reducing the attack surface and detecting malicious activity. Implement strict input validation and sanitization on all user-supplied data within AEM Forms. Consider restricting 'Author' privileges to only those users who absolutely require them. Employ a Web Application Firewall (WAF) with XSS protection rules to filter out potentially malicious requests. Regularly monitor AEM Forms logs for suspicious activity, such as unusual script injections or unexpected user behavior. While not a direct fix, these measures can significantly reduce the risk of exploitation.
Update the AEM Forms add-on to version Forms SP5 for AEM 6.5.5.0 or Forms SP8 for AEM 6.4.8.1, or a later version, as appropriate. This will correct the stored XSS vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-9734 is a critical stored XSS vulnerability in Adobe AEM Forms versions 6.5.5.0 and below, and 6.4.8.1 and below. It allows attackers with 'Author' privileges to inject malicious scripts.
You are affected if you are running Adobe AEM Forms versions 6.5.5.0 or below, or 6.4.8.1 or below, and have users with 'Author' privileges.
Adobe has not released a patch. Mitigate by implementing strict input validation, restricting 'Author' privileges, and using a WAF.
There is no confirmed active exploitation, but the vulnerability's severity makes it a potential target.
Refer to the Adobe Security Bulletin: https://www.adobe.com/security/cve/CVE-2020-9734.txt
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.