Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Cross-site scripting

ariesyinn
Level 3
Level 3

Hi all,

I am using AEM 6.2.0.SP1-CFP19 . There is two vulnerabilities 1) Stored cross-site scripting and 2)Cross-site scripting. Anyone can guide how to check whether these two vulnerabilities have in myAEM?

AEM_vulnerabilities.jpg

 

Thanks.

1 Accepted Solution
markus_bulla_adobe
Correct answer by
Employee
Employee

Hi @ariesyinn!

AFAIK details on the exact attack vector or how to reproduce/test for these vulnerabilities are not published. 

 

To verify if your AEM installation is vulnerable, please refer to the mentioned fix packs in the "Download Package" column of your screenshot (taken from this page). If your AEM instances have at least the mentioned version (SP, CFP) the fix for the vulnerability is included. Even if you have only a later CFP installed and skipped the "original" one (e. g. CFP19 instead of the mentioned CFP12), the fix for the vulnerability is included as per Adobes CFP definition:

 

"a CFP contains fixes delivered through previous CFPs"
(see the according Release Notes page; for more information see Adobes Update Release Vehicle Definitions.)

 

So please verify the version of all your AEM instances (different environments, different instances, author and publish) and make sure that you have at least the mentioned SP and CFP installed.

 

Hope that helps!

View solution in original post

0 Replies
markus_bulla_adobe
Correct answer by
Employee
Employee

Hi @ariesyinn!

AFAIK details on the exact attack vector or how to reproduce/test for these vulnerabilities are not published. 

 

To verify if your AEM installation is vulnerable, please refer to the mentioned fix packs in the "Download Package" column of your screenshot (taken from this page). If your AEM instances have at least the mentioned version (SP, CFP) the fix for the vulnerability is included. Even if you have only a later CFP installed and skipped the "original" one (e. g. CFP19 instead of the mentioned CFP12), the fix for the vulnerability is included as per Adobes CFP definition:

 

"a CFP contains fixes delivered through previous CFPs"
(see the according Release Notes page; for more information see Adobes Update Release Vehicle Definitions.)

 

So please verify the version of all your AEM instances (different environments, different instances, author and publish) and make sure that you have at least the mentioned SP and CFP installed.

 

Hope that helps!

View solution in original post