CVE-2019-8086
published 2019-10-25CVE-2019-8086: Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive…
PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
24.26%
97.6th percentile
Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | adobe_experience_manager | — | — |
| adobe | adobe_experience_manager | — | — |
| adobe | adobe_experience_manager | — | — |
| adobe | adobe_experience_manager | — | — |
| adobe | experience_manager | — | — |
| adobe | experience_manager | — | — |
| adobe | experience_manager | — | — |
| adobe | experience_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /content/{{randstr}} HTTP/1.1
url/content/{{randstr}}.af.internalsubmit.json
othersling:resourceType=fd/af/components/guideContainer
otherguideState={"guideState"%3a{"guideDom"%3a{},"guideContext"%3a{"xsdRef"%3a"","guidePrefillXml"%3a"\u0041\u0042\u0043"}}}
path/content/*.af.internalsubmit.json
- →Probe AEM for XXE by first POSTing to /content/<random> with sling:resourceType=fd/af/components/guideContainer to create a resource, then POSTing to /content/<random>.af.internalsubmit.json with a crafted guideState payload containing a guidePrefillXml value (Unicode-encoded 'ABC'). A 200 response with Content-Type: application/json and the string 'ABC' reflected in the body confirms the vulnerability.
- →The exploit uses HTTP Basic Auth with default AEM credentials (admin:admin, Base64: YWRtaW46YWRtaW4=). Detect brute-force or default-credential attempts against AEM endpoints using this Authorization header value.
- →Shodan fingerprinting queries for exposed AEM instances: http.title:"AEM Sign In", http.component:"Adobe Experience Manager".
- →FOFA query to identify exposed AEM login pages: title="aem sign in".
- →Google dork to identify exposed AEM login pages: intitle:"aem sign in".
- →Detection requires matching all three conditions: HTTP 200 status, response body containing 'ABC', and response Content-Type header containing 'application/json'.
- ·The Nuclei template uses a two-step attack: step 1 creates a temporary AEM content node, step 2 submits the XXE payload against it. Both requests must succeed for exploitation. The template uses {{randstr}} as a dynamic node name, meaning the exact path varies per scan run.
- ·The exploit payload uses Unicode escapes (\u0041\u0042\u0043 = 'ABC') within the guidePrefillXml field to smuggle the XXE trigger. Detection rules should account for Unicode-encoded payloads in this parameter.
- ·The template is scoped to AEM versions 6.2, 6.3, 6.4, and 6.5. The CPE used is cpe:2.3:a:adobe:experience_manager:6.2:*:*:*:*:*:*:*. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Adobe Experience Manager - XML External Entity Injection
nuclei·CVSS 7.5
CVE-2019-8086 [HIGH] Adobe Experience Manager - XML External Entity Injection
Adobe Experience Manager - XML External Entity Injection
Adobe Experience Manager 6.5, 6.4, 6.3 and 6.2 are susceptible to XML external entity injection. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Template:
id: CVE-2019-8086
info:
name: Adobe Experience Manager - XML External Entity Injection
author: DhiyaneshDk
severity: high
description: Adobe Experience Manager 6.5, 6.4, 6.3 and 6.2 are susceptible to XML external entity injection. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized a
No writeups or analysis indexed.
2019-10-25
Published