Reflected Cross-site Scripting (XSS) on version-compare and page-compare tools
Description
ACS Commons version 4.9.2 (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in version-compare and page-compare due to invalid JCR characters that are not handled correctly. An attacker could potentially exploit this vulnerability to inject malicious JavaScript content into vulnerable form fields and execute it within the context of the victim's browser. Exploitation of this issue requires user interaction in order to be successful.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected XSS vulnerability in ACS Commons 4.9.2 and earlier allows attackers to inject JavaScript via invalid JCR characters in page-compare and version-compare tools.
Vulnerability
Description
CVE-2021-21043 is a reflected cross-site scripting (XSS) vulnerability in Adobe Consulting Services (ACS) AEM Commons, affecting version 4.9.2 and earlier. The flaw exists in the page-compare and version-compare tools, where invalid Java Content Repository (JCR) characters are not properly handled before being reflected back to the user. This allows an attacker to inject malicious JavaScript content into vulnerable form fields. The vulnerability is rooted in a failure to encode JCR-derived values before embedding them in JavaScript context within the HTML response [1][4].
Exploitation
The attack vector is reflected XSS, meaning the payload is injected into a request and immediately reflected in the server's response without being stored. Exploitation requires user interaction, such as clicking a crafted link or submitting a malicious form. An attacker must induce a victim to visit a specially crafted URL that includes malicious input in a parameter processed by the affected tools. The bug is in the JSP templates for the version-compare and page-compare components, where JCR-based model values were output directly into JavaScript strings without proper escaping. A commit fixing the issue shows the addition of the xss:encodeForJSString function to sanitize those values before insertion [3][4].
Impact
If exploited, an attacker can execute arbitrary JavaScript in the context of the victim's browser session. This could lead to session hijacking, defacement, or redirection to malicious sites. The vulnerability does not require authentication, but successful exploitation depends on a user being logged into an AEM instance and interacting with the crafted link [1][4].
Mitigation
Adobe has patched the issue in ACS Commons version 4.10.0. There is no workaround available, so upgrading to the patched version is the only remediation. The advisory credits Christopher Whipp for discovering and reporting the flaw. Users on versions 4.9.2 or earlier should upgrade immediately to mitigate the risk [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.adobe.acs:acs-aem-commonsMaven | < 4.10.0 | 4.10.0 |
Affected products
3- Range: <=4.9.2
- Range: unspecified
Patches
114d769c86606fixes to page compare and version compare tools
2 files changed · +4 −2
ui.apps/src/main/content/jcr_root/apps/acs-commons/components/utilities/page-compare/page-compare.jsp+2 −1 modified@@ -23,6 +23,7 @@ <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> <%@taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %> <%@taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %> +<%@taglib prefix="xss" uri="http://www.adobe.com/consulting/acs-aem-commons/xss" %> <cq:defineObjects /> <sling:adaptTo adaptable="${slingRequest}" adaptTo="com.adobe.acs.commons.wcm.comparisons.model.PageCompareModel" var="model"/> @@ -67,7 +68,7 @@ <div class="page" role="main" ng-controller="MainCtrl" - ng-init="app.resource = '${model.pathA}'; app.resourceB = '${model.pathB}'; app.home = '${request.contextPath}${currentPage.path}.html'; app.a = '${model.versionA}'; app.b = '${model.versionB}'; init();"> + ng-init="app.resource = '${xss:encodeForJSString(xssAPI, model.pathA)}'; app.resourceB = '${xss:encodeForJSString(xssAPI, model.pathB)}'; app.home = '${request.contextPath}${currentPage.path}.html'; app.a = '${model.versionA}'; app.b = '${model.versionB}'; init();"> <div class="content"> <div class="content-container">
ui.apps/src/main/content/jcr_root/apps/acs-commons/components/utilities/version-compare/version-compare.jsp+2 −1 modified@@ -4,6 +4,7 @@ <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> <%@taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %> <%@taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %> +<%@taglib prefix="xss" uri="http://www.adobe.com/consulting/acs-aem-commons/xss" %> <cq:defineObjects /> <sling:adaptTo var="model" adaptable="${slingRequest}" adaptTo="com.adobe.acs.commons.version.model.EvolutionModel"/> @@ -28,7 +29,7 @@ <div class="page" role="main" ng-controller="MainCtrl" - ng-init="app.resource = '${model.resourcePath}'; app.home = '${request.contextPath}${currentPage.path}.html'; init();"> + ng-init="app.resource = '${xss:encodeForJSString(xssAPI, model.resourcePath)}'; app.home = '${request.contextPath}${currentPage.path}.html'; init();"> <div ng-show="notifications.length > 0" class="notifications">
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-7r83-w6r8-fh6wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21043ghsaADVISORY
- github.com/Adobe-Consulting-Services/acs-aem-commons/commit/14d769c86606c4ce9a93c47a19f87e1ad72788d6ghsaWEB
- github.com/Adobe-Consulting-Services/acs-aem-commons/security/advisories/GHSA-f92j-qf46-p6vmghsax_refsource_MISCWEB
- helpx.adobe.com/security/products/indesign/apsb21-22.htmlghsaWEB
News mentions
0No linked articles in our index yet.