Adobe Experience Manager (AEM) is a content management solution for building websites, mobile apps, and forms.
In some instances of AEM, due to lack of proper security controls and or misconfiguration, it is possible for remote unauthenticated users to enumerate local system files/folders that arent accessible publicly to unauthenticated users.
This issue originates from Servlets Post component 2.3.6 (part of Apache Sling), as used in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0.
Apply the latest security hot fixes for Adobe Experience Manager. These hot fixes resolve important vulnerabilities that could potentially lead to information disclosure.
Apache Sling Framework (Adobe AEM) 2.3.6 - Information Disclosure