Vulnerability identifier: #VU1304
Vulnerability risk: Low
CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-352
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Adobe Experience Manager
Client/Desktop applications /
Office applications
Vendor: Adobe
Description
The vulnerability allows a remote attacker to perform CSRF attacks.
The vulnerability is caused by insufficient validation of HTTP request origin in Jackrabbit component. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and perform CSRF attack.
Successful exploitation of the vulnerability may allow an attacker to send arbitrary HTTP request to vulnerable application from victim's browser.
Mitigation
To resolve the vulnerability, please install the following patch:
Adobe Experience Manager 6.2:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.1:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Adobe Experience Manager 6.0:
https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...
Vulnerable software versions
Adobe Experience Manager: 6.0 - 6.2
External links
http://helpx.adobe.com/security/products/experience-manager/apsb16-42.html
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.