Reflected Cross Site Scripting in Version Compare and Page compare tools

[csaoud]

Required Information

• AEM Version, including Service Packs, Cumulative Fix Packs, etc: 6.5.20
• ACS AEM Commons Version: 6.6.0
• Reproducible on Latest? yes

Expected Behavior

When using the compare page or version tool, query parameters should be sanitised and not allow XSS attacks

Actual Behavior

Compare page or version tool allows script tags to be entered inside of query parameters

Steps to Reproduce

An XSS vulnerability was identified in ACS commons tools by Christopher Whipp

This vulnerability can be exploited by an unauthenticated attacker to privilege escalate and remotely execute arbitrary
system commands. User interaction is required for the exploit to be successful.

The following two webpages were discovered to be vulnerable to Reflected Cross Site Scripting (XSS).

1. https:///apps/acs-commons/content/version-compare.html

2. https:///apps/acs-commons/content/page-compare.html

The link below shows a simple Proof of Concept (POC) which demonstrates the vulnerability by injecting a script element into the affected page that opens an alert box.

https:///apps/acs-commons/content/page-compare.html?path=/apps/ams/healthcheck/components/structure/regent&a=latest&b=%22%3E%3Cscript%3ealert(1)%3c/script%3E&pathB=/META-INF

Note: if the AEM user is not currently logged into AEM when clicking the link, then upon login the payload will run