Adobe Experience Manager (AEM) QueryBuilder JCR Hashed Password Disclosure

high Web App Scanning Plugin ID 115065

Language:

Synopsis

Adobe Experience Manager (AEM) QueryBuilder JCR Hashed Password Disclosure

Description

The remote Adobe Experience Manager (AEM) QueryBuilder Servlet is prone to an information disclosure vulnerability. An unauthenticated attacker can exploit this issue to retrieve the hashed passwords of users in the AEM instance by sending a specially crafted HTTP request to the QueryBuilder Servlet endpoint.

Solution

Restrict access to the endpoint using a .htaccess file, limiting access to known IP Addresses

Plugin Details

Severity: High

ID: 115065

Type: remote

Family: Web Applications

Published: 12/4/2025

Updated: 12/4/2025

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: High

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 16

OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A5

WASC: Application Misconfiguration

OWASP API: 2019-API7, 2023-API8