Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3543475 by xavlimsg
The account import flow processes ActionText attachment HTML from user-uploaded ZIP content.
In app/models/account/data_transfer/action_text_rich_text_record_set.rb, import-time method convert_gids_to_sgids converts attacker-controlled gid values into persisted sgid values by resolving the target record globally:
app/models/account/data_transfer/action_text_rich_text_record_set.rb:83app/models/account/data_transfer/action_text_rich_text_record_set.rb:87app/models/account/data_transfer/action_text_rich_text_record_set.rb:88app/models/account/data_transfer/action_text_rich_text_record_set.rb:89
pyus3rAn unauthenticated AEM Sling servlet exposes four CRUD operations (getData / getDataById / setData / updateData) on the internal marketing-campaign database via a single option request header. The only access control is a Referer string check that any HTTP client trivially bypasses. Anonymous attackers can read the full 79-campaign dataset (including internal segmentation logic and the names of internal prospect databases), create arbitrary new campaigns in the production backoffice, and overwrite existing real production campaigns.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3676308 by glferreira-devsecops
gpk21No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In