CVE-2019-16469
published 2020-01-15CVE-2019-16469: Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have an expression language injection vulnerability. Successful exploitation could lead to…
PriorityP259high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
17.19%
96.7th percentile
Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have an expression language injection vulnerability. Successful exploitation could lead to sensitive information disclosure.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | adobe_experience_manager | — | — |
| adobe | experience_manager | >= 6.5.0 < 6.5.3.0 | 6.5.3.0 |
Detection & IOCsextracted from sources · hover to see the quote
url/mnt/overlay/dam/gui/content/assets/metadataeditor.external.html?item=$%7b{{num1}}*{{num2}}%7d
path/mnt/overlay/dam/gui/content/assets/metadataeditor.external.html
- →Send a GET request to the vulnerable AEM endpoint with a URL-encoded EL expression in the `item` parameter (e.g., `item=$%7b<num1>*<num2>%7d`). If the response body contains `data-formid="<product_of_num1_and_num2>"` AND `Embed Code` with HTTP 200, the instance is vulnerable to Expression Language Injection.
- →The EL injection payload is delivered via the `item` query parameter as a URL-encoded expression `${ }` (encoded as `$%7b...%7d`). Detection should look for arithmetic evaluation results reflected in the `data-formid` attribute of the response body.
- →Shodan queries to identify exposed Adobe Experience Manager instances: `http.component:"Adobe Experience Manager"`, `http.component:"adobe experience manager"`, `http.title:"aem sign in"`, `cpe:"cpe:2.3:a:adobe:experience_manager"`.
- →FOFA query to identify exposed AEM login pages: `title="aem sign in"`.
- →Google dork to identify exposed AEM login pages: `intitle:"aem sign in"`.
- ·The vulnerability affects Adobe Experience Manager versions 6.0, 6.1, 6.2, 6.3, 6.4, and 6.5 (prior to Service Pack 6.5.3.0). The detection template uses randomized integer multiplication to confirm server-side EL evaluation, reducing false positives. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Adobe Experience Manager - Expression Language Injection
nuclei·CVSS 7.5
CVE-2019-16469 [HIGH] Adobe Experience Manager - Expression Language Injection
Adobe Experience Manager - Expression Language Injection
Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 has an expression language injection vulnerability.
Template:
id: CVE-2019-16469
info:
name: Adobe Experience Manager - Expression Language Injection
author: DomenicoVeneziano
severity: high
description: |
Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 has an expression language injection vulnerability.
impact: |
Successful exploitation could lead to sensitive information disclosure
remediation: |
To fix the vulnerability, it is necessary to update the Adobe AEM instance using the Service Pack 6.5.3.0
reference:
- https://nozero.io/en/cve-2019-16469-adobe-aem-expression-language-injection/
- https://owasp.org/www-community/vulnerabilities/Expre
2020-01-15
Published