Vulnerabilities > CVE-2009-3960 - Unspecified vulnerability in Adobe products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.
Vulnerable Configurations
D2sec
name | Adobe XML External Entity File Disclosure |
url | http://www.d2sec.com/exploits/adobe_xml_external_entity_file_disclosure.html |
Exploit-Db
description Adobe Multiple Products - XML Injection File Content Disclosure. CVE-2009-3960. Webapps exploit for XML platform file exploits/xml/webapps/41855.sh id EDB-ID:41855 last seen 2017-04-11 modified 2017-04-07 platform xml port 8400 published 2017-04-07 reporter Exploit-DB source https://www.exploit-db.com/download/41855/ title Adobe Multiple Products - XML Injection File Content Disclosure type webapps description Multiple Adobe Products XML External Entity And XML Injection Vulnerabilities. CVE-2009-3960. Dos exploits for multiple platform id EDB-ID:11529 last seen 2016-02-01 modified 2010-02-22 published 2010-02-22 reporter Roberto Suggi Liverani source https://www.exploit-db.com/download/11529/ title Multiple Adobe Products XML External Entity And XML Injection Vulnerabilities
Metasploit
description | Multiple Adobe Products -- XML External Entity Injection. Affected Software: BlazeDS 3.2 and earlier versions, LiveCycle 9.0, 8.2.1, and 8.0.1, LiveCycle Data Services 3.0, 2.6.1, and 2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2 |
id | MSF:AUXILIARY/SCANNER/HTTP/ADOBE_XML_INJECT |
last seen | 2020-03-06 |
modified | 2017-08-27 |
published | 2010-11-04 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/adobe_xml_inject.rb |
title | Adobe XML External Entity Injection |
Nessus
NASL family | CGI abuses |
NASL id | ADOBE_MULTIPLE_PRODUCTS_XXE.NASL |
description | The remote host appears to be running an Adobe product that is susceptible to XML External Entity (XXE) attacks. The installed version of the product fails to block the use of external XML entities while using the HTTPChannel to transport data in AMFX format. A remote, unauthenticated attacker could exploit this vulnerability to read arbitrary files from the remote system. According to the Adobe advisory, Adobe BlazeDS, LiveCycle, LiveCycle Data Services, Flex Data Services and ColdFusion are known to be affected by this issue. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 44937 |
published | 2010-03-01 |
reporter | This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/44937 |
title | Multiple Adobe Products XML External Entity (XXE) Injection (APSB10-05) |
Packetstorm
data source https://packetstormsecurity.com/files/download/86558/adobexml-injection.txt id PACKETSTORM:86558 last seen 2016-12-05 published 2010-02-23 reporter Roberto Suggi Liverani source https://packetstormsecurity.com/files/86558/Adobe-Products-XML-External-Entity-And-XML-Injection.html title Adobe Products XML External Entity And XML Injection data source https://packetstormsecurity.com/files/download/142096/adobe-inject.txt id PACKETSTORM:142096 last seen 2017-04-11 published 2017-04-11 reporter Thomas Sluyter source https://packetstormsecurity.com/files/142096/Adobe-XML-Injection-File-Content-Disclosure.html title Adobe XML Injection File Content Disclosure
Seebug
bulletinFamily | exploit |
description | No description provided by source. |
id | SSV:19164 |
last seen | 2017-11-19 |
modified | 2010-02-22 |
published | 2010-02-22 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-19164 |
title | Multiple Adobe Products XML External Entity And XML Injection Vulnerabilities |
Related news
References
- http://secunia.com/advisories/38543
- http://secunia.com/advisories/38543
- http://securitytracker.com/id?1023584
- http://securitytracker.com/id?1023584
- http://www.adobe.com/support/security/bulletins/apsb10-05.html
- http://www.adobe.com/support/security/bulletins/apsb10-05.html
- http://www.osvdb.org/62292
- http://www.osvdb.org/62292
- http://www.securityfocus.com/bid/38197
- http://www.securityfocus.com/bid/38197
- https://www.exploit-db.com/exploits/41855/
- https://www.exploit-db.com/exploits/41855/