Risk | Low |
Patch available | YES |
Number of vulnerabilities | 4 |
CVE-ID | CVE-2016-7885 CVE-2016-7884 CVE-2016-7883 CVE-2016-7882 |
CWE-ID | CWE-352 CWE-79 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Adobe Experience Manager Client/Desktop applications / Office applications |
Vendor | Adobe |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
EUVDB-ID: #VU1304
Risk: Low
CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-7885
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform CSRF attacks.
The vulnerability is caused by insufficient validation of HTTP request origin in Jackrabbit component. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and perform CSRF attack.
Successful exploitation of the vulnerability may allow an attacker to send arbitrary HTTP request to vulnerable application from victim's browser.
MitigationTo resolve the vulnerability, please install the following patch:
Adobe Experience Manager 6.2:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.1:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.0:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager: 6.0 - 6.2
External linkshttp://helpx.adobe.com/security/products/experience-manager/apsb16-42.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU1303
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-7884
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by insufficient sanitization of user-supplied input in DAM create assets functionality. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and execute arbitrary HTML and JavaScript code in victim’s browser in security context of vulnerable website.
Successful exploitation of the vulnerability may allow an attacker to perform phishing and drive-by-download attacks as well as steal victim’s cookies.
MitigationTo resolve the vulnerability, please install the following patch:
Adobe Experience Manager 6.1:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.0:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager: 6.0 - 6.1
External linkshttp://helpx.adobe.com/security/products/experience-manager/apsb16-42.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU1302
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-7883
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by insufficient sanitization of user-supplied input in create launch Wizard functionality. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and execute arbitrary HTML and JavaScript code in victim’s browser in security context of vulnerable website.
Successful exploitation of the vulnerability may allow an attacker to perform phishing and drive-by-download attacks as well as steal victim’s cookies.
MitigationTo resolve the vulnerability, please install the following patch:
Adobe Experience Manager 6.2:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager: 6.2
External linkshttp://helpx.adobe.com/security/products/experience-manager/apsb16-42.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU1301
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-7882
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by insufficient sanitization of user-supplied input in WCMDebug filter. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and execute arbitrary HTML and JavaScript code in victim’s browser in security context of vulnerable website.
Successful exploitation of the vulnerability may allow an attacker to perform phishing and drive-by-download attacks as well as steal victim’s cookies.
MitigationTo resolve the vulnerability, please install the following patch:
Adobe Experience Manager 6.2:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.1:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.0:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager: 6.0 - 6.2
External linkshttp://helpx.adobe.com/security/products/experience-manager/apsb16-42.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.