XSS vulnerability in the page compare feature on the Author Env

[kashifsyedqd]

Required Information

• [X] AEM Version, including Service Packs, Cumulative Fix Packs, etc: AEM Cloud
• [X] ACS AEM Commons Version: _6.6.0____
• [X] Reproducible on Latest? yes/no

Vulnerability reported through Security Scan on AEM Cloud Author env:

BLS T001 Medium xxs bug to be remediated: ADOBE AEM Cloud Reflected Cross-Site Scripting (XSS) The /apps/acs-commons/content/page-compare.html endpoint in the AEM author application is vulnerable to Reflected XSS via the a and b GET parameters. User input submitted via these parameters is not validated or sanitized. As a result, arbitrary JavaScript code is executed in the victim's browser. This vulnerability was reported in the previous AEM BAA for 2023, as Finding [T001] and has been assigned CVE-2022-28820. Since that report, the CVE in question was remediated within the AEM ACS Commons project in version 5.2.0. However, according to recent issues on the AEM ACS Commons github project[2], this same vulnerability has been reintroduced into the project, or previous fixes were insufficient. This vulnerability exists due to a lack of adherence to the following SCF IDs: TDA-06 TDA-06.5 TDA-09 TDA-09.2 TDA-09.3 TDA-09.4 TDA-09.5 TDA-09.7 TDA-18 WEB-09 https://github.com/Adobe-Consulting-Services/acs-aem-commons/releases ASC Commons latest version 6.6.2

• Disable the page-compare.html functionality of the AEM ACS Commons project if possible, otherwise restrict access to the endpoint via AEM dispatcher rules.
• Sanitize user-supplied values for dangerous characters.
• User-supplied input should always be considered hostile and untrusted. When receiving user-supplied input, the data should be sanitized to encode dangerous characters (such as "&", "<", ">", """, "'", and "/") to make any content that is eventually rendered into a response benign.
• Ideally, sanitization should occur when the data is received (input stage) and also when the data is being rendered into a response (output stage).
• Whenever possible, use well-established and trusted libraries to perform sanitization and filtering of input as opposed to trying to craft a solution from scratch.

Please describe briefly the expected behavior, i.e. when I do X, Y should happen.

Questions:

Is it possible to fix this issue soon? If not could you please suggest if we can disable the page compare feature in our author env?

[kwin]

Can you come up with a PR containing a fix?

[kashifsyedqd]

@kwin I would have loved to but currently my plate is full!