CVE-2019-16469 – Adobe Experience Manager expression language injection vulnerability

Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 has an expression language injection vulnerability. Successful exploitation could lead to sensitive information disclosure

Description

Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 has an expression language injection vulnerability. Successful exploitation could lead to sensitive information disclosure.

Exploitation

The vulnerable endpoint is the following:

https://<BASE_URL>/mnt/overlay/dam/gui/content/assets/metadataeditor.external.html

The vulnerable parameter is the item GET parameter.

By using the following payload for the item GET parameter

$%7b7*7%7d 

The payload generates the following HTTP response, confirming the execution of the mathematical operation 7*7


data-formid=”49

It is also possible to access AEM-related variables content and in this way gather sensitive data belonging to the AEM instance (e.g. $(tenant))

Impact

By exploiting the vulnerability, an attacker might be able to access sensitive content related to the AEM instance (such as internal state variables).

Remediation

To fix the vulnerability, it is necessary to update the Adobe AEM instance using the Service Pack 6.5.3.0 

Credits

Valerio Brussani (valbrux) – NoZero

NoZero