When ever an AEM project goes Live, there are set of scans happens to ensure that the website adheres to set of security & performance guidelines.
The security/ penetration tests usually gets scheduled few days ahead of any AEM go live. Below given the set of issues identified as part of AEM websites normally.
Horizontal Privilege Escalation Vulnerability Usually by horizontal privilege escalation, hackers remain on the same general user privilege level but gains access data of other accounts or processes that should be unavailable to the current account or process.
Host Header Injection Vulnerability
Normally a header is used by a web server to decide which website should process the received HTTP request. Whenever many websites are hosted on the same IP address, webserver uses the value of this header to forward the HTTP request to the correct website for processing. This poses as a vulnerability.
Email Flooding Attack
In general, sending large volumes of email to an email address so that the mail box gets overflowed, overwhelm the server where the email address is hosted in a denial-of-service attack. Thus a wrong impression screen to distract the attention from important email messages indicating a security breach.