Adobe Experience Manager (AEM) Sling User Information Servlet Exposure

medium Web App Scanning Plugin ID 115056

Language:

Synopsis

Adobe Experience Manager (AEM) Sling User Information Servlet Exposure

Description

The remote Adobe Experience Manager (AEM) Sling User Information Servlet is prone to information disclosure vulnerabilities. An attacker can exploit this issue to gather information about user accounts, including usernames and other details, which could be used in subsequent attacks such as brute-force password guessing or social engineering.

Solution

Restrict access to the endpoint using a .htaccess file, limiting access to known IP Addresses

Plugin Details

Severity: Medium

ID: 115056

Type: remote

Family: Web Applications

Published: 12/4/2025

Updated: 12/4/2025

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 16

OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A5

WASC: Application Misconfiguration

OWASP API: 2019-API7, 2023-API8