Adobe Experience Manager Sites & More

Kerryu1 · 7/27/23

After doing a vulnerability scan we found the following vulnerability. How can I make the page not publicly accessible? It doesn't even mention what the page address is for this. I'm trying to find references to the servlet right now but am having a hard time.

Adobe Experience Manager QueryBuilderFeedServlet page is publicly accessible. Sensitive information might be exposed via AEM's QueryBuilderFeedServlet.

Saravanan_Dharmaraj · 7/27/23

@Kerryu1 Please check the below post which has the similar query

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/should-not-respond-to-get-...

you can try like this in your dispatcher filter rules, "wknd" is sample site

##This rule must be the last rule to block content grabbing in all paths
/9997 { /type "deny" /url "/content/dam/*" /suffix "*/bin/querybuilder.json*"}
/9998 { /type "deny" /url "/content/wknd/*" /suffix "*/bin/querybuilder.json*"}

View solution in original post

Kerryu1 · 7/27/23

Update: I found the feed to be accessible via '/bin/querybuilder.feed' url. What would be the best approach to making this private? I don't know if it's a crucial endpoint for end users or not as well.

Saravanan_Dharmaraj · 7/27/23

@Kerryu1 Please check the below post which has the similar query

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/should-not-respond-to-get-...

you can try like this in your dispatcher filter rules, "wknd" is sample site

##This rule must be the last rule to block content grabbing in all paths
/9997 { /type "deny" /url "/content/dam/*" /suffix "*/bin/querybuilder.json*"}
/9998 { /type "deny" /url "/content/wknd/*" /suffix "*/bin/querybuilder.json*"}

Adobe Experience Manager Sites & More

Making QueryBuilderFeedServlet private

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe