CVE-2020-9742 - OpenCVE

AEM versions 6.5.5.0 (and below), 6.4.8.1 (and below) and 6.3.3.8 (and below) are affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Inbox calendar feature. These scripts may be executed in a victim’s browser when they open the page containing the vulnerable field.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Adobe	Experience Manager

Configuration 1 [-]

OR	cpe:2.3:a:adobe:experience_manager::::::::
	cpe:2.3:a:adobe:experience_manager::::::::
	cpe:2.3:a:adobe:experience_manager::::::::

No data.

References

Link	Providers
https://helpx.adobe.com/security/products/experience-manager/apsb20-56.html

History

Tue, 17 Sep 2024 04:30:00 +0000

Type	Values Removed	Values Added
Title	Reflected XSS in AEM Inbox module	Reflected XSS in AEM Inbox module

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2020-09-10T16:35:46.030370Z

Updated: 2024-09-17T04:25:23.465Z

Reserved: 2020-03-02T00:00:00

Link: CVE-2020-9742

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-09-10T17:15:41.283

Modified: 2020-09-16T13:57:47.073

Link: CVE-2020-9742

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Experience Manager", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "6.5.5.0", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "6.4.8.1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "6.3.3.8", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "None", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2020-09-08T00:00:00", "descriptions": [{"lang": "en", "value": "AEM versions 6.5.5.0 (and below), 6.4.8.1 (and below) and 6.3.3.8 (and below) are affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Inbox calendar feature. These scripts may be executed in a victim\u2019s browser when they open the page containing the vulnerable field."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Cross-site Scripting (XSS) (CWE-79)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-09-10T16:35:46", "orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://helpx.adobe.com/security/products/experience-manager/apsb20-56.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Reflected XSS in AEM Inbox module", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@adobe.com", "DATE_PUBLIC": "2020-09-08T23:00:00.000Z", "ID": "CVE-2020-9742", "STATE": "PUBLIC", "TITLE": "Reflected XSS in AEM Inbox module"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Experience Manager", "version": {"version_data": [{"version_affected": "<=", "version_value": "6.5.5.0"}, {"version_affected": "<=", "version_value": "6.4.8.1"}, {"version_affected": "<=", "version_value": "6.3.3.8"}, {"version_affected": "<=", "version_value": "None"}]}}]}, "vendor_name": "Adobe"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "AEM versions 6.5.5.0 (and below), 6.4.8.1 (and below) and 6.3.3.8 (and below) are affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Inbox calendar feature. These scripts may be executed in a victim\u2019s browser when they open the page containing the vulnerable field."}]}, "impact": {"cvss": {"attackComplexity": "Low", "attackVector": "Network", "availabilityImpact": "High", "baseScore": 9.1, "baseSeverity": "Critical", "confidentialityImpact": "High", "integrityImpact": "High", "privilegesRequired": "Low", "scope": "Changed", "userInteraction": "Required", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-site Scripting (XSS) (CWE-79)"}]}]}, "references": {"reference_data": [{"name": "https://helpx.adobe.com/security/products/experience-manager/apsb20-56.html", "refsource": "MISC", "url": "https://helpx.adobe.com/security/products/experience-manager/apsb20-56.html"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:43:05.119Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://helpx.adobe.com/security/products/experience-manager/apsb20-56.html"}]}]}, "cveMetadata": {"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "assignerShortName": "adobe", "cveId": "CVE-2020-9742", "datePublished": "2020-09-10T16:35:46.030370Z", "dateReserved": "2020-03-02T00:00:00", "dateUpdated": "2024-09-17T04:25:23.465Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:experience_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "F61E8D62-4FB7-48E0-A750-C3F6EBE5F613", "versionEndIncluding": "6.3.3.8", "versionStartIncluding": "6.3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:experience_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "0482E99D-21DC-489C-8E0B-707A70A48FC0", "versionEndIncluding": "6.4.8.1", "versionStartIncluding": "6.4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:experience_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9D06479-83AE-4F9A-BAE9-7849798F1A30", "versionEndIncluding": "6.5.5.0", "versionStartIncluding": "6.5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "AEM versions 6.5.5.0 (and below), 6.4.8.1 (and below) and 6.3.3.8 (and below) are affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Inbox calendar feature. These scripts may be executed in a victim\u2019s browser when they open the page containing the vulnerable field."}, {"lang": "es", "value": "Las versiones de AEM 6.5.5.0 (y anteriores), 6.4.8.1 (y anteriores) y 6.3.3.8 (y anteriores) est\u00e1n afectadas por una vulnerabilidad de tipo XSS almacenado que permite a usuarios con privilegios de \"Author\" almacenar scripts maliciosos en campos asociados con la funcionalidad de calendario Inbox. Estos scripts pueden ser ejecutados en el navegador de la v\u00edctima cuando abre la p\u00e1gina que contiene el campo vulnerable"}], "id": "CVE-2020-9742", "lastModified": "2020-09-16T13:57:47.073", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "psirt@adobe.com", "type": "Secondary"}]}, "published": "2020-09-10T17:15:41.283", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/experience-manager/apsb20-56.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@adobe.com", "type": "Secondary"}]}