#VU1309 Cross-site scripting in RoboHelp - CVE-2016-7891
Published: December 14, 2016
Vulnerability identifier: #VU1309
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-7891
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
RoboHelp
RoboHelp
Software vendor:
Adobe
Adobe
Description
The vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by insufficient sanitization of user-supplied input. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and execute arbitrary HTML and JavaScript code in victim’s browser in security context of vulnerable website.
Successful exploitation of the vulnerability may allow an attacker to perform phishing and drive-by-download attacks as well as steal victim’s cookies.
Remediation
Install the following patches:
RoboHelp 2015.0.4:
https://www.adobe.com/support/robohelp/downloads.html
RoboHelp 11.0.4:
https://helpx.adobe.com/robohelp/release-note/robohelp-11-0-4-readme.html
RoboHelp 2015.0.4:
https://www.adobe.com/support/robohelp/downloads.html
RoboHelp 11.0.4:
https://helpx.adobe.com/robohelp/release-note/robohelp-11-0-4-readme.html