CVE-2021-40722: AEM Forms Improper Restriction of XML External Entity Reference
First published: Tue Dec 14 2021(Updated: )
AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be abused by an attacker to achieve RCE.
Credit: psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Adobe Experience Manager | <=6.5.10.0 | |
| Adobe Experience Manager Cloud Service |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for this AEM Forms Cloud Service vulnerability?
The vulnerability ID for this AEM Forms Cloud Service vulnerability is CVE-2021-40722.
What is the severity of CVE-2021-40722?
The severity of CVE-2021-40722 is critical with a score of 9.8.
Which software versions are affected by CVE-2021-40722?
Version 6.5.10.0 (and below) of Adobe Experience Manager and Adobe Experience Manager Cloud Service are affected by CVE-2021-40722.
What is the impact of the XML External Entity (XXE) injection vulnerability?
The XML External Entity (XXE) injection vulnerability can be abused by an attacker to achieve Remote Code Execution (RCE).
How can I fix the CVE-2021-40722 vulnerability?
To fix the CVE-2021-40722 vulnerability, it is recommended to update Adobe Experience Manager to a version that is not affected by this vulnerability.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/title
- agent/author
- agent/severity
- agent/references
- agent/first-publish-date
- agent/event
- agent/description
- agent/tags
- agent/source
- vendor/adobe
- canonical/adobe experience manager
- version/adobe experience manager/6.5.10.0
- canonical/adobe experience manager cloud service