CVE-2019-8080 — Cross-site Scripting in Adobe Experience Manager

CWE-79 — Cross-site Scripting CWE-502 — Deserialization of Untrusted Data CWE-922 — Insecure Storage of Sensitive Information CWE-287 — Improper Authentication19 documents8 sources

Severity

6.1MEDIUMNVD

GHSA9.8

EPSS

0.9%

top 25.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Adobe Experience Manager Adobe Experience Manager

Timeline

PublishedOct 24

Latest updateMay 24

Description

Adobe Experience Manager versions 6.4 and 6.3 have a stored cross site scripting vulnerability. Successful exploitation could lead to privilege escalation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDadobe/experience_manager6.3, 6.4+1

▶CVEListV5adobe/adobe_experience_manager6.4, 6.3

🔴Vulnerability Details

GHSA

GHSA-v47v-44g4-pm6f: Adobe Experience Manager versions 6↗2022-05-24

▶

GHSA

Remote code execution in Apache Tapestry↗2021-06-16

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Exchange 2019 - Unauthenticated Email Download↗2021-05-18

▶

Exploit-DB

Microsoft Exchange 2019 - Server-Side Request Forgery↗2021-03-14

▶

Exploit-DB

Fastweb Fastgate 0.00.81 - Remote Code Execution↗2019-11-13

▶

Exploit-DB

Adive Framework 2.0.7 - Privilege Escalation↗2019-11-08

▶

Exploit-DB

fuel CMS 1.4.1 - Remote Code Execution (1)↗2019-07-19

▶

📋Vendor Advisories

Red Hat

heketi: heketi can be installed using insecure defaults↗2019-04-18

▶

📄Research Papers

CTF

Day-12-Ready,_set,_elf. / README↗2020

▶

💬Community

HackerOne

Docker image with FPM is vulnerable to CVE-2019-11043↗2020-03-14

▶

Bugzilla

CVE-2019-3899 heketi: heketi can be installed using insecure defaults↗2019-04-18

▶