AEM Bug in Adobe

Muhammad Mater
3 min readMay 20, 2023

hi hackers

When I was sleeping in bed, I got the idea to look for security vulnerabilities in Adobe Hunting them to find bugs

Adobe have a bug bounty program hosted on the HackerOne platform

let’s check it

after doing some good recon (we will discuss the process in another post here don’t worry )

I have a lot of domains and analyze the technologies used in developing target-specific web applications.

I got a lot of web technologies in Adobe

web servers

domains run by PHP , domains run by java

The technology that caught my attention is AEM (Adobe Experience Manager).

AEM stands for Adobe Experience Manager. This comprehensive content management solution enables organizations to create, manage, and deliver digital experiences across various channels, including websites, mobile apps, and forms. AEM is designed to help businesses effectively manage their digital content, streamline workflows, and personalize customer experiences.

The first thing I do before starting hunting.

I would like to understand how a web application works and what it does, and explore all its features as a regular user in the beginning to better understand its functionality and operations.

Initially, I wanted to understand how AEM works.

Adobe Experience Manager (AEM) has the following components and functionality:

Content Repository: Stores digital assets, content, and configurations using Apache Jackrabbit Oak.

OSGi Framework: Enables modular development and extensibility.

Authoring Environment: Web-based interface for content creation, editing, and workflow management.

Dispatcher: Caching and load balancing component that improves performance.

Publish Environment: Serves published content to end-users.

Integration and APIs: Integrates with Adobe Marketing Cloud solutions and offers APIs for customization and integration with external systems.

Scalability and Deployment: Supports horizontal scalability and cloud deployments for flexibility and scalability.

This architecture allows AEM to manage and deliver personalized digital experiences across multiple channels effectively.

try to run one

I found that some paths in the web application lack authentication because of a misconfiguration, allowing common users to make changes. Ideally, these edits should only be able to be made by granted administrators.

paths like these :

crx/de
crx/de/index.jsp
crx/explorer/browser/index.jsp
crx/explorer/index.jsp
crx/explorer/nodetypes/index.jsp
crx/explorer/ui/search.jsp?Path=&Query=

okay I have an idea

Let’s search for a wordlist that contains these endpoints

I found them.

Starting fuzzing paths and endpoints

and found paths like this

target/crx/explorer/ui/namespace_editor.jsp

Result :

time to report

and it’s valid

Time to do automation

You can use a nuclei template to detect the AEM (CMS)

After detecting cms ,do fuzzing to all targets with a wordlist

And you can run a Scanners

https://github.com/0ang3el/aem-hacker

https://github.com/0ang3el/aem-rce-bundle

happy hunting

--

--

Muhammad Mater

Just a Boy Loves Infosec (REDTEAM, CTI, OSINT, Bug Bounty)