Main Vulnerability Database SB2017061303

SB2017061303 - Multiple vulnerabilities in Adobe Captivate

Published: June 13, 2017 Updated: January 12, 2021

Security Bulletin ID SB2017061303

CSH Severity

High

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2017-3087)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to obtain potentially sensitive information

The weakness exists due to improper input validation. A remote attacker can abuse the quiz reporting feature in Captivate and read arbitrary files on the system.

Successful exploitation of the vulnerability results in information disclosure.

2) Input validation error (CVE-ID: CVE-2017-3098)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input in the quiz reporting feature. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the system.

Remediation

Install update from vendor's website.

References

https://helpx.adobe.com/security/products/captivate/apsb17-19.html