Advisory Adobe LiveCycle Workflow XSS Vulnerability

2008.03.12
Credit: Dave Lewis
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Summary Name: Adobe LiveCycle Workflow XSS Vulnerability Release Date: 11 March 2008 Reference: LSD002-2008 CVE Number: CVE-2008-1202 Discover: Dave Lewis Vendor: Adobe Systems Product: LiveCycle Workflow 6.2 Management Web Interface Systems Affected: version 6.2 (as tested) NB. Other versions may be affected. Risk: Important Status: Published Reference: 1) http://www.liquidmatrix.org/blog/2008/03/11/advisory-adobe-livecycle-wor kflow-xss-vulnerability/ 2) http://www.adobe.com/support/security/bulletins/apsb08-10.html Time Line Discovered: 16 January 2008 Reported: 16 January 2008 Fixed: 5 March 2008 Patch Release: 11 March 2008 Published: 11 March 2008 Description The Adobe LiveCycle Workflow management login page contains a vulnerability which is susceptible to a cross site scripting (XSS) attack. Impact: a remote attacker could execute a XSS attack that could pass arbitrary html to the user and capture usernames/passwords. Technical Details Input passed to the URL of the web management login page is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user?s browser session in context of an affected site. Fix Information This issue has been resolved. The patch may be obtained from: http://www.adobe.com/go/supportportal Liquidmatrix Security Digest http://www.liquidmatrix.org/blog/ 2255B Queen Street East suite 156 Toronto, Ontario Canada M4E 1G3


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top