Vulnerabilities > CVE-2020-3769 - Server-Side Request Forgery (SSRF) vulnerability in Adobe Experience Manager

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
adobe
CWE-918
nessus

Summary

Adobe Experience Manager versions 6.5 and earlier have a server-side request forgery (ssrf) vulnerability. Successful exploitation could lead to sensitive information disclosure.

Vulnerable Configurations

Part Description Count
Application
Adobe
84

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMisc.
    NASL idADOBE_EXPERIENCE_MANAGER_APSB20-31.NASL
    descriptionThe version of Adobe Experience Manager installed on the remote host is 6.1.x, 6.2.x, 6.3.x, 6.4.x prior to 6.4.8.1, or 6.5.x prior to 6.5.5.0. It is, therefore, affected by multiple vulnerabilities: - An unspecified server-side request forgery (SSRF) that could result in sensitive information disclosure (CVE-2020-9643) - An unspecified cross-site scripting vulnerability that could result in arbitrary javaScript execution (CVE-2020-9644, CVE-2020-9647, CVE-2020-9648, CVE-2020-9651) - An unspecified blind server-side request forgery that could result sensitive information disclosure (CVE-2020-9645) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-13
    modified2020-06-12
    plugin id137367
    published2020-06-12
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137367
    titleAdobe Experience Manager 6.1.x < 6.4.8.1 / 6.5.x < 6.5.5.0 (APSB20-32)
  • NASL familyMisc.
    NASL idADOBE_EXPERIENCE_MANAGER_APSB20-15.NASL
    descriptionThe version of Adobe Experience Manager installed on the remote host is 6.1.x, 6.2.x, 6.3.x prior to 6.3.3.8, 6.4.x prior to 6.4.8.0, or 6.5.x prior to 6.5.4.0. It is, therefore, affected by a server-side request forgery (SSRF) vulnerability due to insufficient validation of user-supplied input. A remote, unauthenticated attacker can exploit this, by sending a crafted HTTP request to trick the application to initiate requests to arbitrary systems in order to gain access to sensitive data located in the local network or to send malicious requests to other servers from the vulnerable system. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-13
    modified2020-03-20
    plugin id134715
    published2020-03-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134715
    titleAdobe Experience Manager 6.1.x / 6.2.x / 6.3.x < 6.3.3.8 / 6.4.x < 6.4.8.0 / 6.5.x < 6.5.4.0 (APSB20-15)