cbcvebase.
CVE-2016-0956
published 2016-02-10

CVE-2016-0956: The Servlets Post component 2.3.6 in Apache Sling, as used in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0, allows remote attackers to obtain sensitive…

PriorityP267high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
46.19%
98.7th percentile
The Servlets Post component 2.3.6 in Apache Sling, as used in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0, allows remote attackers to obtain sensitive information via unspecified vectors.

Affected

3 ranges
VendorProductVersion rangeFixed in
adobeexperience_manager
adobeexperience_manager
adobeexperience_manager

Detection & IOCsextracted from sources · hover to see the quote

commandcurl -F":operation=delete" -F":applyTo=/foldername/*" http://website.com/path/file.html
commandcurl -F":operation=delete" -F":applyTo=/etc/*" https://www.adobedemo.com/content/adobedemolab/welcome-page.html
other:operation=delete
other:applyTo=/<path>/*
  • Detect HTTP POST requests to any AEM endpoint containing form fields ':operation=delete' and ':applyTo' with a wildcard glob pattern (e.g. /etc/*), which is the exploit trigger for CVE-2016-0956.
  • Look for HTTP 500 responses from AEM/Sling containing the string 'org.apache.sling.api.resource.PersistenceException' and 'ChangeLog' in the response body, which indicates successful exploitation and file/folder enumeration.
  • Monitor for unauthenticated DELETE-operation POST requests to SlingPostServlet endpoints (e.g. *.html) with ':applyTo' parameter containing wildcard paths such as '/etc/*', '/content/*'.
  • The HTML response body will contain a 'ChangeLog' field listing enumerated folder/file names when exploitation is successful — alert on this field appearing in 500-error responses from AEM.
  • ·The vulnerability is exploitable only on AEM instances that lack proper security controls or are misconfigured — not all AEM deployments are affected by default.
  • ·No actual files are deleted during exploitation; the attack only triggers an exception response that leaks filesystem path information via the ChangeLog field.
  • ·The fix is available in Servlets POST 2.3.8; Adobe Hot fix 6445 resolves the issue for AEM deployments still on 2.3.6.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.