Reposted as I accidently accepted the answer as accepted.
I am using AEM 6.2.0.SP1-CFP19 . There is two vulnerabilities 1) Stored cross-site scripting and 2)Cross-site scripting. Anyone can guide how to check whether these two vulnerabilities have in myAEM?
I have added this in dispatcher level. Does it means the above fixes are solved?
Thanks.
Solved! Go to Solution.
Views
Replies
Total Likes
Hi @ariesyinn!
As already pointed out in your other thread, AFAIK there is no public information available on the exact nature of the two mentioned specific vulnerabilities. So unfortunately I don't see any way to reproduce the attack vectors and to directly verify if your AEM environment is still vulnerable for these exact issues. While you could test your application for some kind of XSS, this would still not give you any insights for these two specific vulnerabilities. XSS is a very broad field. I tried to find some more details about the nature of the vulnerabilities by their CVEs (as you probably did as well) but was unable to find any public source for it.
I've already outlined how to verify the version (incl. SP and CFP) that is installed on your AEM instance. That's one first and strong indicator that your environment should no longer be vulnerable to these two specific attack vectors. However, in IT security there is no way to guarantee a 100% secure system.
The rewrite rules that you shared from your dispatcher configuration provide some level of protection against certain XSS attacks. However, the field of XSS is very wide and there may still be other attack vectors that could possibly get past these simple rewriting rules. (Please note: while mod_rewrite can help to provide a certain level of basic protection, it is not a dedicated security tool.)
If you have enhanced security requirements (as often seen for customers from e. g. the financial sector), I recommend to:
Probably not the answer that you were looking for but hopefully this still helps.
Please refer below articles:
Views
Replies
Total Likes
You can check for Tools available for Website Penetration Testing to validate your sites for Vulnerabilities.
Views
Replies
Total Likes
Hi @ariesyinn!
As already pointed out in your other thread, AFAIK there is no public information available on the exact nature of the two mentioned specific vulnerabilities. So unfortunately I don't see any way to reproduce the attack vectors and to directly verify if your AEM environment is still vulnerable for these exact issues. While you could test your application for some kind of XSS, this would still not give you any insights for these two specific vulnerabilities. XSS is a very broad field. I tried to find some more details about the nature of the vulnerabilities by their CVEs (as you probably did as well) but was unable to find any public source for it.
I've already outlined how to verify the version (incl. SP and CFP) that is installed on your AEM instance. That's one first and strong indicator that your environment should no longer be vulnerable to these two specific attack vectors. However, in IT security there is no way to guarantee a 100% secure system.
The rewrite rules that you shared from your dispatcher configuration provide some level of protection against certain XSS attacks. However, the field of XSS is very wide and there may still be other attack vectors that could possibly get past these simple rewriting rules. (Please note: while mod_rewrite can help to provide a certain level of basic protection, it is not a dedicated security tool.)
If you have enhanced security requirements (as often seen for customers from e. g. the financial sector), I recommend to:
Probably not the answer that you were looking for but hopefully this still helps.
Views
Likes
Replies