SB2016121303 - Two XSS vulnerabilities in Adobe Experience Manager Forms

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2016121303

SB2016121303 - Two XSS vulnerabilities in Adobe Experience Manager Forms

Published: December 13, 2016

Security Bulletin ID SB2016121303
Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2016-6934)

The vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by insufficient sanitization of user-supplied input in PMAdmin. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and execute arbitrary HTML and JavaScript code in victim’s browser in security context of vulnerable website.

Successful exploitation of the vulnerability may allow an attacker to perform phishing and drive-by-download attacks as well as steal victim’s cookies.


2) Cross-site scripting (CVE-ID: CVE-2016-6933)

The vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by insufficient sanitization of user-supplied input in AACComponent. A remote attacker can create a specially crafted web page, trick the victim into visiting this page and execute arbitrary HTML and JavaScript code in victim’s browser in security context of vulnerable website.

Successful exploitation of the vulnerability may allow an attacker to perform phishing and drive-by-download attacks as well as steal victim’s cookies.


Remediation

Install update from vendor's website.

References