Multiple vulnerabilities in Adobe Connect
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2017-11287 CVE-2017-11288 CVE-2017-11289 CVE-2017-11291 CVE-2017-11290 |
| CWE-ID | CWE-79 CWE-918 CWE-451 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Adobe Connect Client/Desktop applications / Other client software |
| Vendor | Adobe |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Reflected cross-site scripting
EUVDB-ID: #VU9190
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-11287
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate to version 9.7.
Adobe Connect: 9.4.1 - 9.6.2
CPE2.3- cpe:2.3:a:adobe:adobe_connect:9.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_connect:9.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_connect:9.5.2:*:*:*:*:*:*:*
https://helpx.adobe.com/security/products/connect/apsb17-35.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Reflected cross-site scripting
EUVDB-ID: #VU9191
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-11288
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate to version 9.7.
Adobe Connect: 9.4.1 - 9.6.2
CPE2.3- cpe:2.3:a:adobe:adobe_connect:9.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_connect:9.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_connect:9.5.2:*:*:*:*:*:*:*
https://helpx.adobe.com/security/products/connect/apsb17-35.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Reflected cross-site scripting
EUVDB-ID: #VU9192
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-11289
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate to version 9.7.
Adobe Connect: 9.4.1 - 9.6.2
CPE2.3- cpe:2.3:a:adobe:adobe_connect:9.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_connect:9.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_connect:9.5.2:*:*:*:*:*:*:*
https://helpx.adobe.com/security/products/connect/apsb17-35.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Server-side request forgery
EUVDB-ID: #VU9193
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-11291
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform SSRF attack.
The weakness exists due to unknown error. A remote attacker can perform SSRF attack to bypass network access controls, perform unauthorized connections to local resources, gain access to sensitive information and compromise vulnerable system.
Update to version 9.7.
Adobe Connect: 9.4.1 - 9.6.2
CPE2.3- cpe:2.3:a:adobe:adobe_connect:9.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_connect:9.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_connect:9.5.2:*:*:*:*:*:*:*
https://helpx.adobe.com/security/products/connect/apsb17-35.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Click-jacking attack
EUVDB-ID: #VU9194
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-11290
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform click-jacking attacks.
The vulnerability exists due to misrepresentation of critical information by user interface. A remote attacker can perform click-jacking attack.
Successful exploitation of this vulnerability may allow an attacker to gain access to potentially sensitive date or perform phishing attacks.
MitigationUpdate to version 9.7.
Adobe Connect: 9.4.1 - 9.6.2
CPE2.3- cpe:2.3:a:adobe:adobe_connect:9.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_connect:9.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_connect:9.5.2:*:*:*:*:*:*:*
https://helpx.adobe.com/security/products/connect/apsb17-35.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
