Main Vulnerability Database Vulnerabilities #VU270

#VU270 Cross-site scripting in Adobe Experience Manager - CVE-2016-4170

Published: August 9, 2016

Vulnerability identifier: #VU270

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2016-4170

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Adobe Experience Manager

Software vendor:
Adobe

Description

The vulnerability allows a remote attacker to perform cross-site scripting attacks.

The vulnerability is caused by incorrect filtration of user-supplied input. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website or redirect victim to arbitrary website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

The vendor has issued fixes to address this vulnerability:

Hotfix 10936 for 6.2
Hotfix 10936 for 6.1
Hotfix 10936 for 6.0
Hotfix 10936 for 5.6.1

External links

https://helpx.adobe.com/security/products/experience-manager/apsb16-27.html