SB2016080901 - Multiple vulnerabilities in Adobe Experience Manager

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2016080901

SB2016080901 - Multiple vulnerabilities in Adobe Experience Manager

Published: August 9, 2016

Security Bulletin ID SB2016080901
Severity
Low
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2016-4168)

The vulnerability allows a remote attacker to perform cross-site scripting attacks.

The vulnerability is caused by incorrect filtration of user-supplied input. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website or redirect victim to arbitrary website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


2) Information disclosure (CVE-ID: CVE-2016-4169)

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to unknown error, which can lead to exposure of audit log events to unprivileged users. A local attacker can get access to potentially sensitive data.

Successful exploitation of this vulnerability will allow a local user to gain unauthorized access to potentially sensitive information.


3) Cross-site scripting (CVE-ID: CVE-2016-4170)

The vulnerability allows a remote attacker to perform cross-site scripting attacks.

The vulnerability is caused by incorrect filtration of user-supplied input. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website or redirect victim to arbitrary website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


4) Information disclosure in Backup functionality (CVE-ID: CVE-2016-4253)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to unknown error in Backup functionality. A remote attacker can get access to potentially sensitive data.

Successful exploitation of this vulnerability will allow an attacker to gain unauthorized access to potentially sensitive information.


Remediation

Install update from vendor's website.

References