| CVE-2008-1202 |
|
发布时间 :2008-03-11 20:44:00 | ||
| 修订时间 :2011-03-07 22:06:19 | ||||
| NMCOPS |
[原文]Cross-site scripting (XSS) vulnerability in the web management interface in Adobe LiveCycle Workflow 6.2 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
[CNNVD]Adobe LiveCycle Workflow管理登录页面跨站脚本漏洞(CNNVD-200803-181)
Adobe LiveCycle Workflow是一个全面的流程管理解决方案,用于帮助企业简化、整合和保护以文档为中心的流程。
LiveCycle Workflow没有正确地过滤对Web管理登录页面的输入便返回给了用户,这可能导致跨站脚本攻击,在用户浏览器会话中注入并执行任意HTML和脚本代码。
–
CVSS (基础分值)
| CVSS分值: | 4.3 | [中等(MEDIUM)] |
| 机密性影响: | NONE | [对系统的机密性无影响] |
| 完整性影响: | PARTIAL | [可能会导致系统文件被修改] |
| 可用性影响: | NONE | [对系统可用性无影响] |
| 攻击复杂度: | MEDIUM | [漏洞利用存在一定的访问条件] |
| 攻击向量: | NETWORK | [攻击者不需要获取内网访问权或本地访问权] |
| 身份认证: | NONE | [漏洞利用无需身份认证] |
–
CWE (弱点类目)
| CWE-79 | [在Web页面生成时对输入的转义处理不恰当(跨站脚本)] |
–
CPE (受影响的平台与产品)
| 产品及版本信息(CPE)暂不可用 |
–
OVAL (用于检测的技术细节)
| 未找到相关OVAL定义 |
–
官方数据库链接
–
其它链接及资源
|
http://www.vupen.com/english/advisories/2008/0864/references (UNKNOWN) VUPEN ADV-2008-0864 |
|
http://www.securityfocus.com/archive/1/archive/1/489413/100/0/threaded (UNKNOWN) BUGTRAQ 20080311 Advisory Adobe LiveCycle Workflow XSS Vulnerability |
|
http://www.liquidmatrix.org/blog/2008/03/11/advisory-adobe-livecycle-workflow-xss-vulnerability/ (UNKNOWN) MISC http://www.liquidmatrix.org/blog/2008/03/11/advisory-adobe-livecycle-workflow-xss-vulnerability/ |
|
http://www.adobe.com/support/security/bulletins/apsb08-10.html (UNKNOWN) CONFIRM http://www.adobe.com/support/security/bulletins/apsb08-10.html |
|
http://xforce.iss.net/xforce/xfdb/41143 (UNKNOWN) XF adobe-lifecycle-loginpage-xss(41143) |
|
http://www.securitytracker.com/id?1019588 (UNKNOWN) SECTRACK 1019588 |
|
http://www.securityfocus.com/bid/28209 (UNKNOWN) BID 28209 |
|
http://securityreason.com/securityalert/3729 (UNKNOWN) SREASON 3729 |
|
http://secunia.com/advisories/29331 (UNKNOWN) SECUNIA 29331 |
–
漏洞信息
| Adobe LiveCycle Workflow管理登录页面跨站脚本漏洞 | |
| 中危 | 跨站脚本 |
| 2008-03-11 00:00:00 | 2008-09-05 00:00:00 |
| 本地 | |
| Adobe LiveCycle Workflow是一个全面的流程管理解决方案,用于帮助企业简化、整合和保护以文档为中心的流程。 LiveCycle Workflow没有正确地过滤对Web管理登录页面的输入便返回给了用户,这可能导致跨站脚本攻击,在用户浏览器会话中注入并执行任意HTML和脚本代码。 |
|
–
公告与补丁
|
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接: http://www.adobe.com/go/supportportal |
–
漏洞信息 (F64508)
| adobe-livecycle-workflow-xss.txt (PacketStormID:F64508) |
2008-03-13 00:00:00 |
| Dave Lewis liquidmatrix.org |
advisory,xss |
CVE-2008-1202 |
[点击下载] |
|
The Adobe LiveCycle Workflow version 6.2 suffers from a cross site scripting vulnerability. |
Summary Name: Adobe LiveCycle Workflow XSS Vulnerability Release Date: 11 March 2008 Reference: LSD002-2008 CVE Number: CVE-2008-1202 Discover: Dave Lewis Vendor: Adobe Systems Product: LiveCycle Workflow 6.2 Management Web Interface Systems Affected: version 6.2 (as tested) NB. Other versions may be affected. Risk: Important Status: Published Reference: 1) http://www.liquidmatrix.org/blog/2008/03/11/advisory-adobe-livecycle-workflow-xss-vulnerability/ 2) http://www.adobe.com/support/security/bulletins/apsb08-10.html Time Line Discovered: 16 January 2008 Reported: 16 January 2008 Fixed: 5 March 2008 Patch Release: 11 March 2008 Published: 11 March 2008 Description The Adobe LiveCycle Workflow management login page contains a vulnerability which is susceptible to a cross site scripting (XSS) attack. Impact: a remote attacker could execute a XSS attack that could pass arbitrary html to the user and capture usernames/passwords. Technical Details Input passed to the URL of the web management login page is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user
–
漏洞信息
42812 |
|
| Adobe LiveCycle Workflow Web Management Interface Unspecified XSS | |
Remote / Network Access |
Input Manipulation |
| Loss of Integrity | Patch / RCS |
| Exploit Public | Vendor Verified, Vendor Verified, Coordinated Disclosure |
–
漏洞描述
–
时间线
2008-03-11 |
Unknow |
| Unknow | Unknow |
–
解决方案
| Currently, there are no known workarounds or upgrades to correct this issue. However, Adobe has released a patch to address this vulnerability. |
–
相关参考
|
–
漏洞作者
| Unknown or Incomplete |
–
漏洞信息
| Adobe LiveCycle Workflow Management Login Page Cross-Site Scripting Vulnerability | |
Input Validation Error |
28209 |
| Yes | No |
| 2008-03-11 12:00:00 | 2008-03-12 09:11:00 |
Dave Lewis of LiquidMatrix is credited with the discovery of this vulnerability. |
|
–
受影响的程序版本
| Adobe LiveCycle Workflow 6.2 |
–
漏洞讨论
| Adobe LiveCycle Workflow is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker could exploit this vulnerability to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. |
–
漏洞利用
|
To exploit this issue, an attacker must entice a victim into following a malicious URI.
|
–
解决方案
|
The vendor has released advisory APSB0-10 to address this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates. |
![[八卦] 王婷婷—揭秘一个大三女生的性爱录像-微慑信息网-VulSee.com](http://free.86hy.com/crack/pic/1.jpg)
![[随笔]今天国际警察节-微慑信息网-VulSee.com](http://photo.sohu.com/20041017/Img222528326.jpg)
青云网
