SCA: security update for com.adobe.acs:acs-aem-commons (GHSA-w5m2-299g-rff5)

medium Tenable Cloud Security Plugin ID 419721

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- ACS Commons version 5.1.x (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability
in /apps/acs-commons/content/page-compare.html endpoint via the a and b GET parameters. User input
submitted via these parameters is not validated or sanitised. An attacker must provide a link to someone
with access to AEM Author, and could potentially exploit this vulnerability to inject malicious JavaScript
content into vulnerable form fields and execute it within the context of the victim's browser. The
exploitation of this issue requires user interaction in order to be successful. (CVE-2022-28820)

See Also

https://github.com/advisories/GHSA-w5m2-299g-rff5

Plugin Details

Severity: Medium

ID: 419721

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 8.67

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2022-28820

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/26/2022

Vulnerability Publication Date: 4/20/2022

Reference Information

CVE: CVE-2022-28820

cwe: CWE-79