aem-forms
Opgelost in
Forms SP5 add-on for AEM 6.5.5.0
Forms SP8 add-on for AEM 6.4.8.1
CVE-2020-9734 describes a stored Cross-Site Scripting (XSS) vulnerability within Adobe AEM Forms. This vulnerability allows authenticated users with 'Author' privileges to inject malicious scripts into fields associated with the Forms component. Successful exploitation can lead to the execution of arbitrary JavaScript code in the context of a victim's browser, potentially resulting in session hijacking, data theft, or defacement. The vulnerability impacts versions 6.5.5.0 and below, and 6.4.8.1 and below; Adobe has not released a fixed version.
The impact of CVE-2020-9734 is significant due to the potential for remote code execution within a user's browser. An attacker could leverage this vulnerability to steal sensitive information, such as session cookies, allowing them to impersonate legitimate users. They could also inject malicious content into the Forms page, redirecting users to phishing sites or delivering malware. Given the 'Author' privilege requirement, the attack would likely target users with elevated permissions within the AEM Forms environment, potentially granting access to broader systems and data. The stored nature of the XSS means the malicious script persists until removed, allowing for repeated exploitation.
CVE-2020-9734 was publicly disclosed on September 10, 2020. There is no indication of active exploitation campaigns at this time, but the vulnerability's CRITICAL severity and ease of exploitation make it a potential target. No public proof-of-concept (PoC) code has been widely released, but the XSS nature of the vulnerability suggests that developing a PoC would be relatively straightforward. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations heavily reliant on Adobe AEM Forms for critical business processes are at significant risk. Specifically, deployments with a large number of users with 'Author' privileges, or those lacking robust input validation and sanitization practices, are particularly vulnerable. Shared hosting environments where multiple tenants share the same AEM Forms instance are also at increased risk, as a compromise of one tenant could potentially affect others.
• java / server: Monitor AEM Forms logs for unusual script injections or unexpected user behavior. Look for patterns indicative of XSS payloads in form field data.
grep -i 'script|onload|onerror' /path/to/aem/logs/error.log• generic web: Use curl to test form submissions with potentially malicious input. Examine the resulting HTML for evidence of script execution.
curl -X POST -d "<script>alert('XSS')</script>" http://aem-server/forms/submit.html• generic web: Check response headers for unusual content-security-policy (CSP) configurations that might be bypassed.
curl -I http://aem-server/forms/submit.html | grep Content-Security-Policydisclosure
Exploit Status
EPSS
0.48% (65% percentiel)
CVSS-vector
As Adobe has not released a fixed version for CVE-2020-9734, mitigation strategies focus on reducing the attack surface and detecting malicious activity. Implement strict input validation and sanitization on all user-supplied data within AEM Forms. Consider restricting 'Author' privileges to only those users who absolutely require them. Employ a Web Application Firewall (WAF) with XSS protection rules to filter out potentially malicious requests. Regularly monitor AEM Forms logs for suspicious activity, such as unusual script injections or unexpected user behavior. While not a direct fix, these measures can significantly reduce the risk of exploitation.
Actualice el add-on AEM Forms a la versión Forms SP5 para AEM 6.5.5.0 o Forms SP8 para AEM 6.4.8.1, o una versión posterior, según corresponda. Esto corregirá la vulnerabilidad XSS almacenada.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2020-9734 is a critical stored XSS vulnerability in Adobe AEM Forms versions 6.5.5.0 and below, and 6.4.8.1 and below. It allows attackers with 'Author' privileges to inject malicious scripts.
You are affected if you are running Adobe AEM Forms versions 6.5.5.0 or below, or 6.4.8.1 or below, and have users with 'Author' privileges.
Adobe has not released a patch. Mitigate by implementing strict input validation, restricting 'Author' privileges, and using a WAF.
There is no confirmed active exploitation, but the vulnerability's severity makes it a potential target.
Refer to the Adobe Security Bulletin: https://www.adobe.com/security/cve/CVE-2020-9734.txt
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.