ID CVE-2009-3960
Summary Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.
References
Vulnerable Configurations
  • cpe:2.3:a:adobe:lifecycle:8.0.1
    cpe:2.3:a:adobe:lifecycle:8.0.1
  • cpe:2.3:a:adobe:lifecycle:8.2.1
    cpe:2.3:a:adobe:lifecycle:8.2.1
  • cpe:2.3:a:adobe:lifecycle:9.0
    cpe:2.3:a:adobe:lifecycle:9.0
  • cpe:2.3:a:adobe:lifecycle_data_services:2.5.1
    cpe:2.3:a:adobe:lifecycle_data_services:2.5.1
  • cpe:2.3:a:adobe:lifecycle_data_services:2.6.1
    cpe:2.3:a:adobe:lifecycle_data_services:2.6.1
  • cpe:2.3:a:adobe:lifecycle_data_services:3.0
    cpe:2.3:a:adobe:lifecycle_data_services:3.0
  • cpe:2.3:a:adobe:flex_data_services:2.0.1
    cpe:2.3:a:adobe:flex_data_services:2.0.1
  • Adobe ColdFusion MX 7.0.2
    cpe:2.3:a:adobe:coldfusion:7.0.2
  • Adobe ColdFusion 8.0
    cpe:2.3:a:adobe:coldfusion:8.0
  • Adobe ColdFusion 8.0.1
    cpe:2.3:a:adobe:coldfusion:8.0.1
  • cpe:2.3:a:adobe:blazeds:3.2
    cpe:2.3:a:adobe:blazeds:3.2
  • Adobe ColdFusion 9.0
    cpe:2.3:a:adobe:coldfusion:9.0
CVSS
Base: 4.3 (as of 16-02-2010 - 07:50)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
d2sec via4
name Adobe XML External Entity File Disclosure
url http://www.d2sec.com/exploits/adobe_xml_external_entity_file_disclosure.html
exploit-db via4
  • description Multiple Adobe Products XML External Entity And XML Injection Vulnerabilities. CVE-2009-3960. Dos exploits for multiple platform
    id EDB-ID:11529
    last seen 2016-02-01
    modified 2010-02-22
    published 2010-02-22
    reporter Roberto Suggi Liverani
    source https://www.exploit-db.com/download/11529/
    title Multiple Adobe Products XML External Entity And XML Injection Vulnerabilities
  • description Adobe Multiple Products - XML Injection File Content Disclosure. CVE-2009-3960. Webapps exploit for XML platform
    file exploits/xml/webapps/41855.sh
    id EDB-ID:41855
    last seen 2017-04-11
    modified 2017-04-07
    platform xml
    port 8400
    published 2017-04-07
    reporter Exploit-DB
    source https://www.exploit-db.com/download/41855/
    title Adobe Multiple Products - XML Injection File Content Disclosure
    type webapps
metasploit via4
description Multiple Adobe Products -- XML External Entity Injection. Affected Software: BlazeDS 3.2 and earlier versions, LiveCycle 9.0, 8.2.1, and 8.0.1, LiveCycle Data Services 3.0, 2.6.1, and 2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2
id MSF:AUXILIARY/SCANNER/HTTP/ADOBE_XML_INJECT
last seen 2019-03-31
modified 2017-08-27
published 2010-11-04
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/adobe_xml_inject.rb
title Adobe XML External Entity Injection
nessus via4
NASL family CGI abuses
NASL id ADOBE_MULTIPLE_PRODUCTS_XXE.NASL
description The remote host appears to be running an Adobe product that is susceptible to XML External Entity (XXE) attacks. The installed version of the product fails to block the use of external XML entities while using the HTTPChannel to transport data in AMFX format. A remote, unauthenticated attacker could exploit this vulnerability to read arbitrary files from the remote system. According to the Adobe advisory, Adobe BlazeDS, LiveCycle, LiveCycle Data Services, Flex Data Services and ColdFusion are known to be affected by this issue.
last seen 2019-02-21
modified 2018-11-15
plugin id 44937
published 2010-03-01
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=44937
title Multiple Adobe Products XML External Entity (XXE) Injection (APSB10-05)
packetstorm via4
refmap via4
bid 38197
confirm http://www.adobe.com/support/security/bulletins/apsb10-05.html
exploit-db 41855
osvdb 62292
sectrack 1023584
secunia 38543
Last major update 26-02-2010 - 02:09
Published 15-02-2010 - 13:30
Last modified 15-08-2017 - 21:29
Back to Top