Multiple vulnerabilities in Adobe Experience Manager



Published: 2016-12-13
Risk Low
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2016-7885
CVE-2016-7884
CVE-2016-7883
CVE-2016-7882
CWE-ID CWE-352
CWE-79
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Adobe Experience Manager
Client/Desktop applications / Office applications

Vendor Adobe

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Cross-site request forgery

EUVDB-ID: #VU1304

Risk: Low

CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7885

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform CSRF attacks.

The vulnerability is caused by insufficient validation of HTTP request origin in Jackrabbit component. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and perform CSRF attack.

Successful exploitation of the vulnerability may allow an attacker to send arbitrary HTTP request to vulnerable application from victim's browser.

Mitigation

To resolve the vulnerability, please install the following patch:

Adobe Experience Manager 6.2:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.1:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.0:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...

Vulnerable software versions

Adobe Experience Manager: 6.0 - 6.2

External links

http://helpx.adobe.com/security/products/experience-manager/apsb16-42.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Cross-site scripting

EUVDB-ID: #VU1303

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7884

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by insufficient sanitization of user-supplied input in DAM create assets functionality. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and execute arbitrary HTML and JavaScript code in victim’s browser in security context of vulnerable website.

Successful exploitation of the vulnerability may allow an attacker to perform phishing and drive-by-download attacks as well as steal victim’s cookies.

Mitigation

To resolve the vulnerability, please install the following patch:

Adobe Experience Manager 6.1:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.0:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...

Vulnerable software versions

Adobe Experience Manager: 6.0 - 6.1

External links

http://helpx.adobe.com/security/products/experience-manager/apsb16-42.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cross-site scripting

EUVDB-ID: #VU1302

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7883

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by insufficient sanitization of user-supplied input in create launch Wizard functionality. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and execute arbitrary HTML and JavaScript code in victim’s browser in security context of vulnerable website.

Successful exploitation of the vulnerability may allow an attacker to perform phishing and drive-by-download attacks as well as steal victim’s cookies.

Mitigation

To resolve the vulnerability, please install the following patch:

Adobe Experience Manager 6.2:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...

Vulnerable software versions

Adobe Experience Manager: 6.2

External links

http://helpx.adobe.com/security/products/experience-manager/apsb16-42.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Cross-site scripting

EUVDB-ID: #VU1301

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7882

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by insufficient sanitization of user-supplied input in WCMDebug filter. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and execute arbitrary HTML and JavaScript code in victim’s browser in security context of vulnerable website.

Successful exploitation of the vulnerability may allow an attacker to perform phishing and drive-by-download attacks as well as steal victim’s cookies.

Mitigation

To resolve the vulnerability, please install the following patch:

Adobe Experience Manager 6.2:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.1:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.0:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...

Vulnerable software versions

Adobe Experience Manager: 6.0 - 6.2

External links

http://helpx.adobe.com/security/products/experience-manager/apsb16-42.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###