Vulnerability identifier: #VU1304

Vulnerability risk: Low

CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7885

CWE-ID: CWE-352

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Adobe Experience Manager
Client/Desktop applications / Office applications

Vendor: Adobe

Description

The vulnerability allows a remote attacker to perform CSRF attacks.

The vulnerability is caused by insufficient validation of HTTP request origin in Jackrabbit component. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and perform CSRF attack.

Successful exploitation of the vulnerability may allow an attacker to send arbitrary HTTP request to vulnerable application from victim's browser.

Mitigation
To resolve the vulnerability, please install the following patch:

Adobe Experience Manager 6.2:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.1:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.0:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...

Vulnerable software versions

Adobe Experience Manager: 6.0 - 6.2

---

External links
http://helpx.adobe.com/security/products/experience-manager/apsb16-42.html

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.