core.wcm.components.core is vulnerable to cross-site scripting. The vulnerability exists because the stream
function of AdaptiveImageServlet.java
does not properly encode the imageName
attribute, allowing an attacker to inject and execute malicious javascript through the crafted SVG image.