A Hacker's perspective on AEM applications security

Wednesday, 30. September 2020 10:30 - 11:00 (30 min)

adaptTo() 2020 is finished. We will publish the slides and video for this talk till end of the year. Participants of this year's adaptTo() conference have early access.


Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking to automate security testing of AEM web-applications.

In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088. These vulnerabilities allow anonymous attackers to compromise AEM web-application.

In the talk, I will disclose details of discovered vulnerabilities and exploitation techniques. Additionally, I want to share a new remarkable technique to bypass misconfigured AEM dispatcher.


Back to schedule