Adobe Consulting Services Reflected Cross-Site Scripting Arbitrary Code Execution
Description
ACS Commons version 5.1.x (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in /apps/acs-commons/content/page-compare.html endpoint via the a and b GET parameters. User input submitted via these parameters is not validated or sanitised. An attacker must provide a link to someone with access to AEM Author, and could potentially exploit this vulnerability to inject malicious JavaScript content into vulnerable form fields and execute it within the context of the victim's browser. The exploitation of this issue requires user interaction in order to be successful.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ACS Commons 5.1.x and earlier has a reflected XSS in the page-compare endpoint via unsanitized a and b parameters, requiring user interaction to exploit.
Vulnerability
ACS Commons version 5.1.x (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in the /apps/acs-commons/content/page-compare.html endpoint. The a and b GET parameters accept user input that is not validated or sanitized before being reflected in the response [1][3]. This allows an attacker to inject arbitrary JavaScript into the page.
Exploitation
An attacker must craft a malicious link containing JavaScript payloads in the a or b parameters and send it to a user who has access to an AEM Author instance. The victim must click the link, which triggers the reflected XSS. No authentication is required beyond the victim's existing session, but user interaction is necessary for successful exploitation [1][3].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to information disclosure, session hijacking, or other actions performed on behalf of the victim within the AEM Author environment [1][3].
Mitigation
This issue has been resolved in ACS Commons version 5.2.0 [3]. Users should upgrade to 5.2.0 or later. No workarounds are available [3]. If upgrading is not immediately possible, restrict access to the page-compare endpoint or apply a web application firewall rule to sanitize the a and b parameters.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.adobe.acs:acs-aem-commonsMaven | < 5.2.0 | 5.2.0 |
Affected products
3- Range: <=5.1.x
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-w5m2-299g-rff5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-28820ghsaADVISORY
- github.com/Adobe-Consulting-Services/acs-aem-commons/security/advisories/GHSA-w5m2-299g-rff5ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.