Multiple vulnerabilities in Adobe Experience Manager

Published: 2017-08-08 18:25:37
Severity High
Patch available YES
Number of vulnerabilities 3
CVSSv2 7.4 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
3.7 (AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
3.7 (AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
CVSSv3 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE ID CVE-2017-3108
CVE-2017-3107
CVE-2017-3110
CWE ID CWE-434
CWE-200
Exploitation vector Network
Public exploit Not available
Vulnerable software Adobe Experience Manager
Vulnerable software versions Adobe Experience Manager 6.2
Adobe Experience Manager 6.1
Adobe Experience Manager 6.0
Adobe Experience Manager 6.3
Vendor URL Adobe
Advisory type Public

Security Advisory

1) Improper file type validation

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to file type validation error when uploading files. A remote attacker can bypass validation process and upload malicious file on vulnerable system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Remediation

Install the following patches to resolve this vulnerability:
Hotfix 16617 for 6.0.0 version 1.2
Cumulative Fix Pack for 6.1 SP2 -  AEM-6.1-SP2-CFP3
Cumulative Fix Pack for 6.2 SP1 - AEM-6.2-SP1-CFP4

External links

https://helpx.adobe.com//security/products/experience-manager/apsb17-26.html

2) Information disclosure

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to unknown error related to software version disclosure. A remote attacker can disclose a product version number.

Remediation

The vulnerability can be resolved with the following patches:

Hotfix 17203 for 6.0.0

Cumulative Fix Pack for 6.1 SP2 - AEM-6.1-SP2-CFP9

Cumulative Fix Pack for 6.2 SP1- AEM-6.2-SP1-CFP5

Cumulative Fix Pack for 6.3.0.1

External links

https://helpx.adobe.com//security/products/experience-manager/apsb17-26.html

3) Information disclosure

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to unknown error. A remote attacker can send a specially crafted request and gain access to potentially sensitive information.

Remediation

Install the following patches:

Hotfix 16005 for 6.0.0.0

Cumulative Fix Pack for 6.1 SP2 - AEM-6.1-SP2-CFP10

External links

https://helpx.adobe.com//security/products/experience-manager/apsb17-26.html

Back to List