SB2016121305 - Multiple vulnerabilities in Adobe Experience Manager

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2016121305

SB2016121305 - Multiple vulnerabilities in Adobe Experience Manager

Published: December 13, 2016

Security Bulletin ID SB2016121305
Severity
Low
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Cross-site request forgery (CVE-ID: CVE-2016-7885)

The vulnerability allows a remote attacker to perform CSRF attacks.

The vulnerability is caused by insufficient validation of HTTP request origin in Jackrabbit component. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and perform CSRF attack.

Successful exploitation of the vulnerability may allow an attacker to send arbitrary HTTP request to vulnerable application from victim's browser.


2) Cross-site scripting (CVE-ID: CVE-2016-7884)

The vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by insufficient sanitization of user-supplied input in DAM create assets functionality. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and execute arbitrary HTML and JavaScript code in victim’s browser in security context of vulnerable website.

Successful exploitation of the vulnerability may allow an attacker to perform phishing and drive-by-download attacks as well as steal victim’s cookies.


3) Cross-site scripting (CVE-ID: CVE-2016-7883)

The vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by insufficient sanitization of user-supplied input in create launch Wizard functionality. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and execute arbitrary HTML and JavaScript code in victim’s browser in security context of vulnerable website.

Successful exploitation of the vulnerability may allow an attacker to perform phishing and drive-by-download attacks as well as steal victim’s cookies.


4) Cross-site scripting (CVE-ID: CVE-2016-7882)

The vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by insufficient sanitization of user-supplied input in WCMDebug filter. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and execute arbitrary HTML and JavaScript code in victim’s browser in security context of vulnerable website.

Successful exploitation of the vulnerability may allow an attacker to perform phishing and drive-by-download attacks as well as steal victim’s cookies.


Remediation

Install update from vendor's website.

References