CVE-2022-35697: 
Java vulnerability analysis and mitigation

Adobe Experience Manager Core Components version 2.20.6 and earlier contains a reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on August 5, 2022, affecting the AdaptiveImageServlet component via SVG images. This security issue has been assigned CVE-2022-35697 (Adobe Advisory).

The vulnerability is classified as a reflected Cross-Site Scripting (XSS) issue (CWE-79). If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

An attacker with author access can upload a specially crafted SVG image containing malicious JavaScript code. When this image is accessed by other authenticated users, the malicious script executes in their browser context, potentially allowing the attacker to gain access to the victim's session (Adobe Advisory).

The vulnerability has been patched in version 2.20.8 of the Adobe Experience Manager Core Components. Users are advised to upgrade to this version or later. No alternative workarounds are available (Adobe Advisory).