Vulnerabilities > CVE-2009-3960 - Unspecified vulnerability in Adobe products

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
low complexity
adobe
nessus
exploit available
metasploit
NVD
Published: 2010-02-15
Updated: 2024-07-16

Summary

Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.

Vulnerable Configurations

Part Description Count
Application
Adobe
12

D2sec

nameAdobe XML External Entity File Disclosure
urlhttp://www.d2sec.com/exploits/adobe_xml_external_entity_file_disclosure.html

Exploit-Db

  • descriptionAdobe Multiple Products - XML Injection File Content Disclosure. CVE-2009-3960. Webapps exploit for XML platform
    fileexploits/xml/webapps/41855.sh
    idEDB-ID:41855
    last seen2017-04-11
    modified2017-04-07
    platformxml
    port8400
    published2017-04-07
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/41855/
    titleAdobe Multiple Products - XML Injection File Content Disclosure
    typewebapps
  • descriptionMultiple Adobe Products XML External Entity And XML Injection Vulnerabilities. CVE-2009-3960. Dos exploits for multiple platform
    idEDB-ID:11529
    last seen2016-02-01
    modified2010-02-22
    published2010-02-22
    reporterRoberto Suggi Liverani
    sourcehttps://www.exploit-db.com/download/11529/
    titleMultiple Adobe Products XML External Entity And XML Injection Vulnerabilities

Metasploit

descriptionMultiple Adobe Products -- XML External Entity Injection. Affected Software: BlazeDS 3.2 and earlier versions, LiveCycle 9.0, 8.2.1, and 8.0.1, LiveCycle Data Services 3.0, 2.6.1, and 2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2
idMSF:AUXILIARY/SCANNER/HTTP/ADOBE_XML_INJECT
last seen2020-03-06
modified2017-08-27
published2010-11-04
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/adobe_xml_inject.rb
titleAdobe XML External Entity Injection

Nessus

NASL familyCGI abuses
NASL idADOBE_MULTIPLE_PRODUCTS_XXE.NASL
descriptionThe remote host appears to be running an Adobe product that is susceptible to XML External Entity (XXE) attacks. The installed version of the product fails to block the use of external XML entities while using the HTTPChannel to transport data in AMFX format. A remote, unauthenticated attacker could exploit this vulnerability to read arbitrary files from the remote system. According to the Adobe advisory, Adobe BlazeDS, LiveCycle, LiveCycle Data Services, Flex Data Services and ColdFusion are known to be affected by this issue.
last seen2020-06-01
modified2020-06-02
plugin id44937
published2010-03-01
reporterThis script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/44937
titleMultiple Adobe Products XML External Entity (XXE) Injection (APSB10-05)

Packetstorm

Seebug

bulletinFamilyexploit
descriptionNo description provided by source.
idSSV:19164
last seen2017-11-19
modified2010-02-22
published2010-02-22
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-19164
titleMultiple Adobe Products XML External Entity And XML Injection Vulnerabilities

Related news

References