4.3

CVE-2007-0044

Exploit
Adobe Acrobat Reader Plugin before 8.0.0 for the Firefox, Internet Explorer, and Opera web browsers allows remote attackers to force the browser to make unauthorized requests to other web sites via a URL in the (1) FDF, (2) xml, and (3) xfdf AJAX request parameters, following the # (hash) character, aka "Universal CSRF and session riding."
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AdobeAcrobat Editionelements Version <= 7.0.8
AdobeAcrobat Version7.0 Editionprofessional
AdobeAcrobat Version7.0 Editionstandard
AdobeAcrobat Version7.0.1 Editionprofessional
AdobeAcrobat Version7.0.1 Editionstandard
AdobeAcrobat Version7.0.2 Editionprofessional
AdobeAcrobat Version7.0.2 Editionstandard
AdobeAcrobat Version7.0.3 Editionprofessional
AdobeAcrobat Version7.0.3 Editionstandard
AdobeAcrobat Version7.0.4 Editionprofessional
AdobeAcrobat Version7.0.4 Editionstandard
AdobeAcrobat Version7.0.5 Editionprofessional
AdobeAcrobat Version7.0.5 Editionstandard
AdobeAcrobat Version7.0.6 Editionprofessional
AdobeAcrobat Version7.0.6 Editionstandard
AdobeAcrobat Version7.0.7 Editionprofessional
AdobeAcrobat Version7.0.7 Editionstandard
AdobeAcrobat Version7.0.8 Editionprofessional
AdobeAcrobat Version7.0.8 Editionstandard
AdobeAcrobat Reader Version <= 7.0.8
AdobeAcrobat Reader Version6.0
AdobeAcrobat Reader Version6.0.1
AdobeAcrobat Reader Version6.0.2
AdobeAcrobat Reader Version6.0.3
AdobeAcrobat Reader Version6.0.4
AdobeAcrobat Reader Version6.0.5
AdobeAcrobat Reader Version7.0
AdobeAcrobat Reader Version7.0.1
AdobeAcrobat Reader Version7.0.2
AdobeAcrobat Reader Version7.0.3
AdobeAcrobat Reader Version7.0.4
AdobeAcrobat Reader Version7.0.5
AdobeAcrobat Reader Version7.0.6
AdobeAcrobat Reader Version7.0.7
AdobeAcrobat Reader Version7.0.8
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 55.47% 0.989
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

http://lists.suse.com/archive/suse-security-announce/2007-Jan/0012.html
http://secunia.com/advisories/23812
http://secunia.com/advisories/23882
Vendor Advisory
http://security.gentoo.org/glsa/glsa-200701-16.xml
http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf
http://secunia.com/advisories/29065
Vendor Advisory
http://securityreason.com/securityalert/2090
Vendor Advisory
http://securitytracker.com/id?1017469
http://www.redhat.com/support/errata/RHSA-2008-0144.html
http://www.securityfocus.com/archive/1/455801/100/0/threaded
http://www.securityfocus.com/bid/21858
http://www.vupen.com/english/advisories/2007/0032
http://www.wisec.it/vulns.php?page=9
Patch
Exploit
https://exchange.xforce.ibmcloud.com/vulnerabilities/31266
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10042