Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 has an expression language injection vulnerability. Successful exploitation could lead to sensitive information disclosure.
The vulnerable endpoint is the following:
The vulnerable parameter is the item GET parameter.
By using the following payload for the item GET parameter
The payload generates the following HTTP response, confirming the execution of the mathematical operation 7*7
It is also possible to access AEM-related variables content and in this way gather sensitive data belonging to the AEM instance (e.g. $(tenant))
By exploiting the vulnerability, an attacker might be able to access sensitive content related to the AEM instance (such as internal state variables).
To fix the vulnerability, it is necessary to update the Adobe AEM instance using the Service Pack 18.104.22.168
Valerio Brussani (valbrux) – NoZero