Adobe Experience Manager Sites & More

shikhasoni1 · 4/27/22

how does aem prevents sql injection?

BrianKasingli · 4/27/22

You should be fine, using JCR_SQL2 is read only which means that you can only use the "SELECT" keyword.

View solution in original post

Bhuwan_B · 4/27/22

@shikhasoni1 Please refer to below Community URL to get understanding of AEM Security Best Practices:

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-security-best-practice...

Anish-Sinha · 4/27/22

refer this for the techniques to prevent sql injections - https://labs.tadigital.com/index.php/2018/11/05/sql-injections-overview-and-prevention-techniques/

arunpatidar · 4/27/22

Please note that JCR SQL injections != RDBMS SQL injections. SQL in JCR is strictly read-only. As far as it is possible to manipulate a query the only risk is information leakage. No data can be manipulated as is the case with RDBMSes.

Arun Patidar

sourcedcode · 4/27/22

.

BrianKasingli · 4/27/22

You should be fine, using JCR_SQL2 is read only which means that you can only use the "SELECT" keyword.

maryani · 3/27/23

Hi

How can we prevent blind XPath injection for an AEM page??

Thanks

KiranVe1 · 4/5/24

I have got a similar vulnerbility in our latest report. Did you find any solution for this?

arunpatidar · 4/5/24

Hi @KiranVe1
Could you please check https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-how-can-we-prevent-bli...

Arun Patidar

KiranVe1 · 4/5/24

Thanks @arunpatidar for the response. Does this mean we can ignore the critical vulnerbility in our latest report?

arunpatidar · 4/5/24

Hi @KiranVe1
Yes, you can't update/write on AEM if you don't have permission, and by design there is only read permission for queries.

So you can ignore it.

Adobe Experience Manager Sites & More

how does aem prevents sql injection?

Arun Patidar

Arun Patidar

Arun Patidar

Learn

Documentation

Events

Community

Support

Resources

Adobe account

Adobe