Sign-up

ID

VAR-200902-0564


CVE

CVE-2009-0524


TITLE

Adobe RoboHelp and RoboHelp Server Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2009-001102

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Adobe RoboHelp 6 and 7, and RoboHelp Server 6 and 7, allows remote attackers to inject arbitrary web script or HTML via vectors involving files produced by RoboHelp. Adobe RoboHelp is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of a site that includes content generated by the affected application. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Adobe RoboHelp 6 and 7 are vulnerable. ---------------------------------------------------------------------- Did you know? Our assessment and impact rating along with detailed information such as exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more about our commercial solutions: http://secunia.com/advisories/business_solutions/ Click here to trial our solutions: http://secunia.com/advisories/try_vi/ ---------------------------------------------------------------------- TITLE: Adobe RoboHelp Server Cross-Site Scripting Vulnerabilities SECUNIA ADVISORY ID: SA34048 VERIFY ADVISORY: http://secunia.com/advisories/34048/ DESCRIPTION: Some vulnerabilities have been reported in Adobe RoboHelp Server, which can be exploited by malicious people to conduct cross-site scripting attacks. 1) Certain unspecified input is not properly sanitised before being returned to the user. Successful exploitation requires that the attacker has access to the RoboHelp Help Errors log or is able to trick a victim possessing the required permissions into following a malicious URL. 2) Input passed to unspecified parameters is not properly sanitised before being returned to the user. SOLUTION: Apply patches and regenerate the RoboHelp content. See vendor's advisory for additional details. PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Greg Patton, PropertyInfo Corporation 2) The vendor credits Robert Fly, SalesForce.com ORIGINAL ADVISORY: Adobe APSB09-02: http://www.adobe.com/support/security/bulletins/apsb09-02.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2009-0524 // JVNDB: JVNDB-2009-001102 // BID: 33888 // PACKETSTORM: 75199 // PACKETSTORM: 75196

AFFECTED PRODUCTS

vendor:adobemodel:robohelpscope:eqversion:6

Trust: 2.7

vendor:adobemodel:robohelpscope:eqversion:7

Trust: 2.4

vendor:adobemodel:robohelp serverscope:eqversion:6

Trust: 2.4

vendor:adobemodel:robohelp serverscope:eqversion:7

Trust: 2.4

vendor:hitachimodel:device managerscope:eqversion:software

Trust: 0.8

vendor:hitachimodel:it operations directorscope: - version: -

Trust: 0.8

vendor:hitachimodel:replication managerscope:eqversion:software

Trust: 0.8

vendor:hitachimodel:tiered storage managerscope:eqversion:software

Trust: 0.8

vendor:hitachimodel:jp1/it desktop managementscope:eqversion:- manager

Trust: 0.8

vendor:adobemodel:robohelp officescope:eqversion:7

Trust: 0.3

sources: BID: 33888 // JVNDB: JVNDB-2009-001102 // CNNVD: CNNVD-200902-605 // NVD: CVE-2009-0524

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-0524
value: MEDIUM

Trust: 1.0

NVD: CVE-2009-0524
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200902-605
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2009-0524
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2009-001102 // CNNVD: CNNVD-200902-605 // NVD: CVE-2009-0524

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2009-001102 // NVD: CVE-2009-0524

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200902-605

TYPE

xss

Trust: 0.8

sources: PACKETSTORM: 75199 // PACKETSTORM: 75196 // CNNVD: CNNVD-200902-605

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2009-001102

PATCH
title:APSB09-02url:http://www.adobe.com/support/security/bulletins/apsb09-02.html
Trust: 0.8
title:APSB09-02url:http://www.adobe.com/jp/support/security/bulletins/apsb09-02.html
Trust: 0.8
title:HS12-011url:http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS12-011/index.html
Trust: 0.8
title:HS12-014url:http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS12-014/index.html
Trust: 0.8
title:HS12-017url:http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS12-017/index.html
Trust: 0.8
title:HS12-014url:http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS12-014/index.html
Trust: 0.8
title:HS12-017url:http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS12-017/index.html
Trust: 0.8
title:HS12-011url:http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS12-011/index.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2009-001102

EXTERNAL IDS
db:NVDid:CVE-2009-0524
Trust: 2.7
db:BIDid:33888
Trust: 2.7
db:SECUNIAid:34032
Trust: 2.5
db:SECUNIAid:34048
Trust: 2.5
db:VUPENid:ADV-2009-0512
Trust: 2.4
db:SECTRACKid:1021755
Trust: 2.4
db:XFid:48889
Trust: 1.4
db:JVNDBid:JVNDB-2009-001102
Trust: 0.8
db:CNNVDid:CNNVD-200902-605
Trust: 0.6
db:PACKETSTORMid:75199
Trust: 0.1
db:PACKETSTORMid:75196
Trust: 0.1
sources:
            
            
            BID: 33888 // 
            
            
            
            JVNDB: JVNDB-2009-001102 // 
            
            
            
            PACKETSTORM: 75199 // 
            
            
            
            PACKETSTORM: 75196 // 
            
            
            
            CNNVD: CNNVD-200902-605 // 
            
            
            
            NVD: CVE-2009-0524

REFERENCES
url:http://secunia.com/advisories/34032
Trust: 2.4
url:http://secunia.com/advisories/34048
Trust: 2.4
url:http://www.securityfocus.com/bid/33888
Trust: 2.4
url:http://securitytracker.com/id?1021755
Trust: 2.4
url:http://www.vupen.com/english/advisories/2009/0512
Trust: 2.4
url:http://www.adobe.com/support/security/bulletins/apsb09-02.html
Trust: 2.1
url:http://xforce.iss.net/xforce/xfdb/48889
Trust: 1.4
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/48889
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0524
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-0524
Trust: 0.8
url:http://www.adobe.com/products/robohelp/
Trust: 0.3
url:http://secunia.com/advisories/secunia_security_advisories/
Trust: 0.2
url:http://secunia.com/advisories/business_solutions/
Trust: 0.2
url:http://secunia.com/advisories/try_vi/
Trust: 0.2
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.2
url:http://secunia.com/advisories/about_secunia_advisories/
Trust: 0.2
url:http://secunia.com/advisories/34048/
Trust: 0.1
url:http://secunia.com/advisories/34032/
Trust: 0.1
sources:
            
            
            BID: 33888 // 
            
            
            
            JVNDB: JVNDB-2009-001102 // 
            
            
            
            PACKETSTORM: 75199 // 
            
            
            
            PACKETSTORM: 75196 // 
            
            
            
            CNNVD: CNNVD-200902-605 // 
            
            
            
            NVD: CVE-2009-0524

CREDITS
Greg Patton
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200902-605

SOURCES
db:BIDid:33888
db:JVNDBid:JVNDB-2009-001102
db:PACKETSTORMid:75199
db:PACKETSTORMid:75196
db:CNNVDid:CNNVD-200902-605
db:NVDid:CVE-2009-0524

LAST UPDATE DATE
2024-11-23T22:23:51.028000+00:00

SOURCES UPDATE DATE
db:BIDid:33888date:2009-02-24T23:37:00
db:JVNDBid:JVNDB-2009-001102date:2012-06-27T00:00:00
db:CNNVDid:CNNVD-200902-605date:2009-02-27T00:00:00
db:NVDid:CVE-2009-0524date:2024-11-21T01:00:09.337

SOURCES RELEASE DATE
db:BIDid:33888date:2009-02-24T00:00:00
db:JVNDBid:JVNDB-2009-001102date:2009-03-27T00:00:00
db:PACKETSTORMid:75199date:2009-02-25T15:46:37
db:PACKETSTORMid:75196date:2009-02-25T15:35:02
db:CNNVDid:CNNVD-200902-605date:2009-02-26T00:00:00
db:NVDid:CVE-2009-0524date:2009-02-26T16:17:19.983