Information Disclosure Vulnerability in Adobe Experience Manager affecting multiple companies including Microsoft, Apple, Amazon, McDonald’s and many more.
This is my first article ever so don’t mind my writing skills i really hate writing but i wanted to share this one with the community.
Hi guys my name is Fat 23 years old, Cyber Security Researcher / Bug Bounty Hunter from Kosova.
I ususally hunt in HackerOne this is my HackerOne profile : https://hackerone.com/fattselimi
Today i will share a story regarding a vulnerability that i found in multiple companies including McDonalds, Amazon, Apple, Microsoft and many more.
When i first noticed about AEM (Adobe Experience Manger) Content management system it was when i hunted in BMW Group in HackerOne : https://hackerone.com/bmwgroup
What is Adobe Experience Manager response generated by OpenAI :
Adobe Experience Manager (AEM) is a content management system that allows organizations to create, manage, and deliver digital content across multiple channels and devices. It is a web-based platform that helps businesses streamline their digital marketing efforts by providing tools for content creation, management, and delivery. AEM is designed to enable companies to easily create and manage web content, mobile apps, and digital forms, as well as to personalize content and optimize digital experiences. It is widely used by businesses of all sizes and across different industries to improve their online presence and enhance customer engagement.
So basically what i found was an Information Disclosue which Lead to Internal Email Disclosure in amazon.com
Let’s see below how i was able to find Internal Email Address Disclosure in Amazon subdomain.
Thanks to Assetnote i had a big wordlist of subdomains using Adobe Experience Manager since this Information Disclosure was affecting AEM i was looking for Vulnerability Disclosure Programs and Bug Bounty Programs running AEM.
I found that Amazon subdomain was using AEM.
site:subdomain.*.* inurl:’/content/dam’
Gave me multiple results
after adding site:subdomain.amazon.com/content/dam/filename.pdf/.children.json
2. In the image you can see the Response that we got after we added .children.json after the file.pdf extension.
3. If we see the jcr:lastModifiedBy: json parameter
4. Internal Email Address is being disclosed there.
What is the impact of this lets see what OpenAI will say about it below.
Impact of company internal email address disclosure response from OpenAI
The impact of company internal email address disclosure can vary depending on the specific circumstances of the situation, but it can have several negative consequences, such as:
The same issue i was able to find in multiple other companies like Apple, Microsoft, McDonalds and many more.
See below the same issue affecting Microsoft :
See below the same issue Affecting Apple :
See below the same issue affecting McDonald :
Here you have a Google Dork to find AEM assets easily thanks Intigriti for this one.
Some Shodan Dorks and Google Dorks that i use you to find websites using Adobe Experience Manager are :
1.Shodan : http.component:”Adobe Experience Manager”
2.Google : site:target.* inurl:’/content/dam’
3.You can use Assetnote Wordlists too : https://wordlists.assetnote.io/
4.Happy hunting.
Thanks for reading and i hope that you liked this article and learned something new regarding Adobe Experience Manager (AEM) Content Management System security and i hope that this information will help you get some bounty from it.
Follow me in twitter for more : https://twitter.com/fattselimi or https://www.linkedin.com/in/fatselimi/