Cross-site scripting in LiveCycle and Adobe Experience Manager Forms - CVE-2016-6933

CSH
CYBERSECURITY HELP
Sign In REGISTER
 
Main Vulnerability Database Vulnerabilities #VU1298

Cross-site scripting in LiveCycle and Adobe Experience Manager Forms - CVE-2016-6933

Published: December 13, 2016 / Updated: December 14, 2016


Vulnerability identifier: #VU1298
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-6933
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Adobe
Affected software:
LiveCycle
Adobe Experience Manager Forms

Detailed vulnerability description

The vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by insufficient sanitization of user-supplied input in AACComponent. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and execute arbitrary HTML and JavaScript code in victim’s browser in security context of vulnerable website.

Successful exploitation of the vulnerability may allow an attacker to perform phishing and drive-by-download attacks as well as steal victim’s cookies.


How to mitigate CVE-2016-6933


Sources