Description
Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 has an expression language injection vulnerability. Successful exploitation could lead to sensitive information disclosure.
Exploitation
The vulnerable endpoint is the following:
https://<BASE_URL>/mnt/overlay/dam/gui/content/assets/metadataeditor.external.html
The vulnerable parameter is the item GET parameter.
By using the following payload for the item GET parameter
$%7b7*7%7d
The payload generates the following HTTP response, confirming the execution of the mathematical operation 7*7
…
data-formid=”49“
…
It is also possible to access AEM-related variables content and in this way gather sensitive data belonging to the AEM instance (e.g. $(tenant))
Impact
By exploiting the vulnerability, an attacker might be able to access sensitive content related to the AEM instance (such as internal state variables).
Remediation
To fix the vulnerability, it is necessary to update the Adobe AEM instance using the Service Pack 6.5.3.0
Credits
Valerio Brussani (valbrux) – NoZero