Forbrukslån | Kannettava Tietokone | Beste Kredittkort Drivstoff | Strømpris Kalkulator | Billigste Brannalarm 2018 | Beste Forsikringsselskap 2018 | Billig Mobilabonnement | Håndverkere
AdobePublished CVE's

ZDI-17-927: Adobe Acrobat Pro DC iframe Same Origin Policy Bypass Information Disclosure Vulnerability

 

CVSS Score

      • 4.3,

(AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Vendors

Adobe

Affected Products

    Acrobat Pro DC

Vulnerability Details

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Adobe Acrobat Pro DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the conversion of HTML to PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in bypassing the same origin policy. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.

Vendor Response

Adobe has issued an update to correct this vulnerability. More details can be found at:

https://helpx.adobe.com/security/products/acrobat/apsb17-36.html

Disclosure Timeline

    • 2017-06-22 – Vulnerability reported to vendor

 

    • 2017-11-21 – Coordinated public release of advisory

 

Credit

This vulnerability was discovered by:

    Steven Seeley (mr_me) of Offensive Security

 

Show More

Stephen

Stephen Turner, the Director of Operations for predictiveIT, has spent the past 22 years involved in the technology realm and security. Stephen began his career in the United States Marine Corps as a Crypto Technician, before moving into the private sector. He has worked all facets of the Information Technology world including administration, security, consulting, project management, Director of Cyber Security and as a Chief Information Officer for nationwide organization where he was responsible for architecting the security infrastructure during the migration of the organization’s entire data center to the “cloud”. Stephen has trained as a Certified Ethical Hacker, Certified Information Systems Security Professional and as a Red Hat Certified Architect with a focus on Linux security.
Close

Adblock Detected

Please consider supporting us by disabling your ad blocker