Server-side request forgery in Adobe Experience Manager
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2018-5004 CVE-2018-5006 CVE-2018-12809 |
| CWE-ID | CWE-918 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Adobe Experience Manager Client/Desktop applications / Office applications |
| Vendor | Adobe |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Server-side request forgery
EUVDB-ID: #VU13626
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5004
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform SSRF attack.
The weakness exists due to unspecified error. A remote attacker can perform SSRF attack to bypass network access controls, perform unauthorized connections to local resources and gain access to sensitive information.
Install update from vendor's website.
Adobe Experience Manager: 6.2 - 6.3
External linkshttp://helpx.adobe.com//security/products/experience-manager/apsb18-23.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Server-side request forgery
EUVDB-ID: #VU13628
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5006
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform SSRF attack.
The weakness exists due to unspecified error. A remote attacker can perform SSRF attack to bypass network access controls, perform unauthorized connections to local resources and gain access to sensitive information.
Install update from vendor's website.
Adobe Experience Manager: 6.0 - 6.4
External linkshttp://helpx.adobe.com//security/products/experience-manager/apsb18-23.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Server-side request forgery
EUVDB-ID: #VU13629
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-12809
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform SSRF attack.
The weakness exists due to unspecified error. A remote attacker can perform SSRF attack to bypass network access controls, perform unauthorized connections to local resources and gain access to sensitive information.
Install update from vendor's website.
Adobe Experience Manager: 6.0 - 6.4
External linkshttp://helpx.adobe.com//security/products/experience-manager/apsb18-23.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
