Cross-site request forgery in Adobe Experience Manager - CVE-2016-7885
Published: December 14, 2016
Vulnerability identifier: #VU1304
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-7885
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Adobe
Affected software:
Adobe Experience Manager
Adobe Experience Manager
Detailed vulnerability description
The vulnerability allows a remote attacker to perform CSRF attacks.
The vulnerability is caused by insufficient validation of HTTP request origin in Jackrabbit component. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and perform CSRF attack.
Successful exploitation of the vulnerability may allow an attacker to send arbitrary HTTP request to vulnerable application from victim's browser.
How to mitigate CVE-2016-7885
To resolve the vulnerability, please install the following patch:
Adobe Experience Manager 6.2:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.1:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.0:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.2:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.1:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.0:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...