Browser back and refresh button attack vulnerability for Author instance. | Community
Skip to main content
M
manishaa5646486
Level 2
September 2, 2022
Solved

Browser back and refresh button attack vulnerability for Author instance.

  • September 2, 2022
  • 3 replies
  • 2113 views
Browser back and refresh button attack vulnerability for Author instance. I have Set Cache-control headers, but issue is partial solved for siteadmin but for welcome screen its exists

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by joerghoh

    Please raise a ticket with Adobe support and  include a detailled description how to reproduce.

    Posting potential security issues here in the forums is not the best way to get them fixed.

     

    Thanks for your help,

    Jörg

    3 replies

    joerghoh
    Adobe Employee
    joerghohAdobe EmployeeAccepted solution
    Adobe Employee
    September 4, 2022

    Please raise a ticket with Adobe support and  include a detailled description how to reproduce.

    Posting potential security issues here in the forums is not the best way to get them fixed.

     

    Thanks for your help,

    Jörg

      arunpatidar
      Community Advisor
      arunpatidarCommunity Advisor
      Community Advisor
      September 5, 2022

      Please raise it with Adobe.

       

      Just a side note:

      As AEM Author access is primarily restricted within intranets, it is not exposed to end users, so this won't have a major impact. 

      Arun Patidar
        M
        manishaa5646486Author
        Level 2
        September 9, 2022

        thanks for the reply. I have raised some but they have mentioned as this is not considered a vulnerability within our threat model. So, I'm looking for suggestions.

          joerghoh
          Adobe Employee
          joerghohAdobe Employee
          Adobe Employee
          September 9, 2022

          so if I understand you right, the Adobe security mentioned that this is not covered by their thread-model, but your own security team (or of the customer you are working with) says it is part of their threat-model?

           

          I don't think that you can solve this difference in understanding. Rather let the security teams talk to each other and resolve it themselves. 

            M
            manishaa5646486Author
            Level 2
            September 13, 2022

            thanks

              Terms & ConditionsAccessibility statement

              Loading footer...