Cross-site scripting in Adobe Experience Manager - CVE-2016-7884
Published: December 14, 2016
Vulnerability identifier: #VU1303
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-7884
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Adobe
Affected software:
Adobe Experience Manager
Adobe Experience Manager
Detailed vulnerability description
The vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by insufficient sanitization of user-supplied input in DAM create assets functionality. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and execute arbitrary HTML and JavaScript code in victim’s browser in security context of vulnerable website.
Successful exploitation of the vulnerability may allow an attacker to perform phishing and drive-by-download attacks as well as steal victim’s cookies.
How to mitigate CVE-2016-7884
To resolve the vulnerability, please install the following patch:
Adobe Experience Manager 6.1:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.0:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.1:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.0:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...