Sign-up

ID

VAR-200802-0480


CVE

CVE-2008-0642


TITLE

Adobe RoboHelp Cross-site scripting vulnerability in files created by

Trust: 0.8

sources: JVNDB: JVNDB-2008-002417

DESCRIPTION

Cross-site scripting (XSS) vulnerability in files created by Adobe RoboHelp 6 and 7, possibly involving use of a (1) WebHelp5 (WebHelp5Ext) or (2) WildFire (WildFireExt) extension, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2007-1280. Adobe RoboHelp is prone to an unspecified cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. Few details are available regarding this issue. We will update this BID as more information emerges. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. The issue affects Adobe RoboHelp 6 and 7. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Adobe RoboHelp Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA28945 VERIFY ADVISORY: http://secunia.com/advisories/28945/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: Adobe RoboHelp 6.x http://secunia.com/product/14178/ Adobe RoboHelp 7.x http://secunia.com/product/17551/ DESCRIPTION: A vulnerability has been reported in RoboHelp, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the URL to files generated by RoboHelp is not properly sanitised before being returned to the user. The vulnerability affects versions 6 and 7. SOLUTION: Appy updates. RoboHelp 6: Apply RoboHelp_APSB08-05.zip. Please see the vendor's advisory for more information. RoboHelp 7: Use automatic update via Help->Updates. PROVIDED AND/OR DISCOVERED BY: The vendor credits Tavis Ormandy of Google. ORIGINAL ADVISORY: APSB08-05: http://www.adobe.com/support/security/bulletins/apsb08-05.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 1.98

sources: NVD: CVE-2008-0642 // JVNDB: JVNDB-2008-002417 // BID: 27763 // PACKETSTORM: 63630

AFFECTED PRODUCTS

vendor:adobemodel:robohelpscope:eqversion:6

Trust: 2.7

vendor:adobemodel:robohelpscope:eqversion:7

Trust: 2.4

vendor:hitachimodel:device managerscope:eqversion:software

Trust: 0.8

vendor:hitachimodel:it operations directorscope: - version: -

Trust: 0.8

vendor:hitachimodel:replication managerscope:eqversion:software

Trust: 0.8

vendor:hitachimodel:tiered storage managerscope:eqversion:software

Trust: 0.8

vendor:hitachimodel:jp1/it desktop managementscope:eqversion:- manager

Trust: 0.8

vendor:adobemodel:robohelp officescope:eqversion:7

Trust: 0.3

sources: BID: 27763 // JVNDB: JVNDB-2008-002417 // CNNVD: CNNVD-200802-303 // NVD: CVE-2008-0642

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2008-0642
value: MEDIUM

Trust: 1.0

NVD: CVE-2008-0642
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200802-303
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2008-0642
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2008-002417 // CNNVD: CNNVD-200802-303 // NVD: CVE-2008-0642

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2008-002417 // NVD: CVE-2008-0642

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200802-303

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 63630 // CNNVD: CNNVD-200802-303

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2008-002417

PATCH
title:APSA08-05url:http://www.adobe.com/support/security/bulletins/apsb08-05.html
Trust: 0.8
title:APSA08-05url:http://www.adobe.com/jp/support/security/bulletins/apsb08-05.html
Trust: 0.8
title:HS12-011url:http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS12-011/index.html
Trust: 0.8
title:HS12-014url:http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS12-014/index.html
Trust: 0.8
title:HS12-017url:http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS12-017/index.html
Trust: 0.8
title:HS12-011url:http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS12-011/index.html
Trust: 0.8
title:HS12-014url:http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS12-014/index.html
Trust: 0.8
title:HS12-017url:http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS12-017/index.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2008-002417

EXTERNAL IDS
db:NVDid:CVE-2008-0642
Trust: 2.7
db:BIDid:27763
Trust: 2.7
db:SECUNIAid:28945
Trust: 2.5
db:VUPENid:ADV-2008-0537
Trust: 2.4
db:SECTRACKid:1019397
Trust: 2.4
db:JVNDBid:JVNDB-2008-002417
Trust: 0.8
db:CNNVDid:CNNVD-200802-303
Trust: 0.6
db:PACKETSTORMid:63630
Trust: 0.1
sources:
            
            
            BID: 27763 // 
            
            
            
            JVNDB: JVNDB-2008-002417 // 
            
            
            
            PACKETSTORM: 63630 // 
            
            
            
            CNNVD: CNNVD-200802-303 // 
            
            
            
            NVD: CVE-2008-0642

REFERENCES
url:http://secunia.com/advisories/28945
Trust: 2.4
url:http://www.securityfocus.com/bid/27763
Trust: 2.4
url:http://securitytracker.com/id?1019397
Trust: 2.4
url:http://www.adobe.com/support/security/bulletins/apsb08-05.html
Trust: 2.0
url:http://www.vupen.com/english/advisories/2008/0537
Trust: 1.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-0642
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-0642
Trust: 0.8
url:http://www.frsirt.com/english/advisories/2008/0537
Trust: 0.6
url:http://www.adobe.com/products/robohelp/
Trust: 0.3
url:http://secunia.com/advisories/28945/
Trust: 0.1
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:https://psi.secunia.com/?page=changelog
Trust: 0.1
url:https://psi.secunia.com/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
url:http://secunia.com/product/14178/
Trust: 0.1
url:http://secunia.com/product/17551/
Trust: 0.1
sources:
            
            
            BID: 27763 // 
            
            
            
            JVNDB: JVNDB-2008-002417 // 
            
            
            
            PACKETSTORM: 63630 // 
            
            
            
            CNNVD: CNNVD-200802-303 // 
            
            
            
            NVD: CVE-2008-0642

CREDITS
Tavis Ormandy of Google is credited with discovering this issue.
Trust: 0.9
sources:
            
            
            BID: 27763 // 
            
            
            
            CNNVD: CNNVD-200802-303

SOURCES
db:BIDid:27763
db:JVNDBid:JVNDB-2008-002417
db:PACKETSTORMid:63630
db:CNNVDid:CNNVD-200802-303
db:NVDid:CVE-2008-0642

LAST UPDATE DATE
2024-11-23T22:57:10.597000+00:00

SOURCES UPDATE DATE
db:BIDid:27763date:2008-02-13T18:46:00
db:JVNDBid:JVNDB-2008-002417date:2012-06-27T00:00:00
db:CNNVDid:CNNVD-200802-303date:2008-09-05T00:00:00
db:NVDid:CVE-2008-0642date:2024-11-21T00:42:34.410

SOURCES RELEASE DATE
db:BIDid:27763date:2008-02-12T00:00:00
db:JVNDBid:JVNDB-2008-002417date:2009-08-10T00:00:00
db:PACKETSTORMid:63630date:2008-02-14T18:01:15
db:CNNVDid:CNNVD-200802-303date:2008-02-14T00:00:00
db:NVDid:CVE-2008-0642date:2008-02-15T01:00:00