Main Vulnerability Database Vulnerabilities #VU270

Cross-site scripting in Adobe Experience Manager - CVE-2016-4170

Published: August 9, 2016

Vulnerability identifier: #VU270

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2016-4170

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Adobe

Affected software:
Adobe Experience Manager

Detailed vulnerability description

The vulnerability allows a remote attacker to perform cross-site scripting attacks.

The vulnerability is caused by incorrect filtration of user-supplied input. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website or redirect victim to arbitrary website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

How to mitigate CVE-2016-4170

The vendor has issued fixes to address this vulnerability:

Hotfix 10936 for 6.2
Hotfix 10936 for 6.1
Hotfix 10936 for 6.0
Hotfix 10936 for 5.6.1

Sources

https://helpx.adobe.com/security/products/experience-manager/apsb16-27.html

Cross-site scripting in Adobe Experience Manager - CVE-2016-4170

Detailed vulnerability description

How to mitigate CVE-2016-4170

Sources

Please verify you're human