微慑信息网

CVE-2008-1202-漏洞详情

CVE-2008-1202
CVSS 4.3
发布时间 :2008-03-11 20:44:00
修订时间 :2011-03-07 22:06:19
NMCOPS    

[原文]Cross-site scripting (XSS) vulnerability in the web management interface in Adobe LiveCycle Workflow 6.2 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.


[CNNVD]Adobe LiveCycle Workflow管理登录页面跨站脚本漏洞(CNNVD-200803-181)

        Adobe LiveCycle Workflow是一个全面的流程管理解决方案,用于帮助企业简化、整合和保护以文档为中心的流程。


        LiveCycle Workflow没有正确地过滤对Web管理登录页面的输入便返回给了用户,这可能导致跨站脚本攻击,在用户浏览器会话中注入并执行任意HTML和脚本代码。


        


CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]


CWE (弱点类目)

CWE-79 [在Web页面生成时对输入的转义处理不恰当(跨站脚本)]


CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用


OVAL (用于检测的技术细节)

未找到相关OVAL定义


官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1202

(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1202

(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200803-181

(官方数据源) CNNVD


其它链接及资源

http://www.vupen.com/english/advisories/2008/0864/references


(UNKNOWN)  VUPEN  ADV-2008-0864
http://www.securityfocus.com/archive/1/archive/1/489413/100/0/threaded


(UNKNOWN)  BUGTRAQ  20080311 Advisory Adobe LiveCycle Workflow XSS Vulnerability
http://www.liquidmatrix.org/blog/2008/03/11/advisory-adobe-livecycle-workflow-xss-vulnerability/


(UNKNOWN)  MISC  http://www.liquidmatrix.org/blog/2008/03/11/advisory-adobe-livecycle-workflow-xss-vulnerability/
http://www.adobe.com/support/security/bulletins/apsb08-10.html


(UNKNOWN)  CONFIRM  http://www.adobe.com/support/security/bulletins/apsb08-10.html
http://xforce.iss.net/xforce/xfdb/41143


(UNKNOWN)  XF  adobe-lifecycle-loginpage-xss(41143)
http://www.securitytracker.com/id?1019588


(UNKNOWN)  SECTRACK  1019588
http://www.securityfocus.com/bid/28209


(UNKNOWN)  BID  28209
http://securityreason.com/securityalert/3729


(UNKNOWN)  SREASON  3729
http://secunia.com/advisories/29331


(UNKNOWN)  SECUNIA  29331


漏洞信息

Adobe LiveCycle Workflow管理登录页面跨站脚本漏洞
中危 跨站脚本
2008-03-11 00:00:00 2008-09-05 00:00:00
本地  
        Adobe LiveCycle Workflow是一个全面的流程管理解决方案,用于帮助企业简化、整合和保护以文档为中心的流程。


        LiveCycle Workflow没有正确地过滤对Web管理登录页面的输入便返回给了用户,这可能导致跨站脚本攻击,在用户浏览器会话中注入并执行任意HTML和脚本代码。


        


公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:


        http://www.adobe.com/go/supportportal


漏洞信息 (F64508)

adobe-livecycle-workflow-xss.txt (PacketStormID:F64508)

2008-03-13 00:00:00
Dave Lewis  liquidmatrix.org

advisory,xss

CVE-2008-1202

[点击下载]

The Adobe LiveCycle Workflow version 6.2 suffers from a cross site scripting vulnerability.

Summary

Name: Adobe LiveCycle Workflow XSS Vulnerability
Release Date: 11 March 2008
Reference: LSD002-2008
CVE Number: CVE-2008-1202
Discover: Dave Lewis
Vendor: Adobe Systems
Product: LiveCycle Workflow 6.2 Management Web Interface
Systems Affected: version 6.2 (as tested)
NB. Other versions may be affected.

Risk: Important
Status: Published
Reference:
1)
Advisory: Adobe LiveCycle Workflow XSS Vulnerability
2) http://www.adobe.com/support/security/bulletins/apsb08-10.html Time Line Discovered: 16 January 2008 Reported: 16 January 2008 Fixed: 5 March 2008 Patch Release: 11 March 2008 Published: 11 March 2008 Description The Adobe LiveCycle Workflow management login page contains a vulnerability which is susceptible to a cross site scripting (XSS) attack. Impact: a remote attacker could execute a XSS attack that could pass arbitrary html to the user and capture usernames/passwords. Technical Details Input passed to the URL of the web management login page is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user


漏洞信息


42812
Adobe LiveCycle Workflow Web Management Interface Unspecified XSS

Remote / Network Access

Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Vendor Verified,
Vendor Verified,
Coordinated Disclosure


漏洞描述


时间线


2008-03-11

Unknow
Unknow Unknow


解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Adobe has released a patch to address this vulnerability.


相关参考


漏洞作者

Unknown or Incomplete


漏洞信息

Adobe LiveCycle Workflow Management Login Page Cross-Site Scripting Vulnerability

Input Validation Error

28209
Yes No
2008-03-11 12:00:00 2008-03-12 09:11:00

Dave Lewis of LiquidMatrix is credited with the discovery of this vulnerability.


受影响的程序版本

Adobe LiveCycle Workflow 6.2


漏洞讨论

Adobe LiveCycle Workflow is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.



An attacker could exploit this vulnerability to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.


漏洞利用

To exploit this issue, an attacker must entice a victim into following a malicious URI.


解决方案

The vendor has released advisory APSB0-10 to address this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates.




相关参考

本文标题:CVE-2008-1202-漏洞详情
本文链接:
(转载请附上本文链接)
http://vulsee.com/archives/vulsee_2019/0713_2936.html
转载请附本站链接,未经允许不得转载,,谢谢:微慑信息网-VulSee.com » CVE-2008-1202-漏洞详情
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

微慑信息网 专注工匠精神

访问我们联系我们