Two XSS vulnerabilities in Adobe Experience Manager Forms
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2016-6934 CVE-2016-6933 |
| CWE-ID | CWE-79 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
LiveCycle Universal components / Libraries / Software for developers Adobe Experience Manager Forms Client/Desktop applications / Multimedia software |
| Vendor | Adobe |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Cross-site scripting
EUVDB-ID: #VU1299
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-6934
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by insufficient sanitization of user-supplied input in PMAdmin. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and execute arbitrary HTML and JavaScript code in victim’s browser in security context of vulnerable website.
Successful exploitation of the vulnerability may allow an attacker to perform phishing and drive-by-download attacks as well as steal victim’s cookies.
MitigationTo resolve the vulnerability, please install the following patches:
Adobe Experience Manager Forms 6.2:
https://helpx.adobe.com/content/help/en/aem-forms/quick-fixes/6-2/cumulative-jee-patch-0002.html
Adobe Experience Manager Forms 6.1:
https://helpx.adobe.com/content/help/en/aem-forms/quick-fixes/6-1-fp1/prm-1065-020.html
Adobe Experience Manager Forms 6.0:
https://helpx.adobe.com/content/help/en/aem-forms/quick-fixes/6-0-fp1/prm-1043-020.html
LiveCycle 11.0.1:
https://helpx.adobe.com/content/help/en/livecycle/quick-fixes/livecycle-es4-sp1/prm-1161-017.html
LiveCycle 10.0.4:
https://helpx.adobe.com/content/help/en/livecycle/quick-fixes/livecycle-es3-sp2/prm-1065-007.html
LiveCycle: 10.0.4 - 11.0.1
Adobe Experience Manager Forms: 6.0 - 6.2
CPE2.3- cpe:2.3:a:adobe:livecycle:10.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:livecycle:11.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_experience_manager_forms:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_experience_manager_forms:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_experience_manager_forms:6.2:*:*:*:*:*:*:*
https://helpx.adobe.com/security/products/aem-forms/apsb16-40.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site scripting
EUVDB-ID: #VU1298
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-6933
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by insufficient sanitization of user-supplied input in AACComponent. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and execute arbitrary HTML and JavaScript code in victim’s browser in security context of vulnerable website.
Successful exploitation of the vulnerability may allow an attacker to perform phishing and drive-by-download attacks as well as steal victim’s cookies.
MitigationTo resolve the vulnerability, please install the following patches:
Adobe Experience Manager Forms 6.2:
https://helpx.adobe.com/content/help/en/aem-forms/quick-fixes/6-2/cumulative-jee-patch-0002.html
Adobe Experience Manager Forms 6.1:
https://helpx.adobe.com/content/help/en/aem-forms/quick-fixes/6-1-fp1/cor-1064-012.html
Adobe Experience Manager Forms 6.0:
https://helpx.adobe.com/content/help/en/aem-forms/quick-fixes/6-0-fp1/cor-1042-015.html
LiveCycle 11.0.1:
https://helpx.adobe.com/content/help/en/livecycle/quick-fixes/livecycle-es4-sp1/cor-1155-044.html
LiveCycle 10.0.4:
https://helpx.adobe.com/content/help/en/livecycle/quick-fixes/livecycle-es3-sp2/cor-1064-025.html
LiveCycle: 10.0.4 - 11.0.1
Adobe Experience Manager Forms: 6.0 - 6.2
CPE2.3- cpe:2.3:a:adobe:livecycle:10.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:livecycle:11.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_experience_manager_forms:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_experience_manager_forms:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_experience_manager_forms:6.2:*:*:*:*:*:*:*
https://helpx.adobe.com/security/products/aem-forms/apsb16-40.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
