The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Adobe LiveCycle

computer vulnerability alert CVE-2016-6933 CVE-2016-6934

Adobe LiveCycle: Cross Site Scripting via Adobe Experience Manager

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Adobe Experience Manager of Adobe LiveCycle, in order to run JavaScript code in the context of the web site.
Impacted products: Adobe LiveCycle.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 16/12/2016.
Identifiers: APSB16-40, CVE-2016-6933, CVE-2016-6934, VIGILANCE-VUL-21396.

Description of the vulnerability

The Adobe LiveCycle product offers a web service.

However, it does not filter received data via Adobe Experience Manager before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Adobe Experience Manager of Adobe LiveCycle, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-5255

Apache Flex BlazeDS: external XML entity injection

Synthesis of the vulnerability

An attacker can transmit malicious XML data to Apache Flex BlazeDS, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: Adobe LiveCycle, Unix (platform) ~ not comprehensive, vCenter Server, VMware vSphere.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 21/12/2015.
Identifiers: APSB15-30, CVE-2015-5255, VIGILANCE-VUL-18568, VMSA-2015-0008, VMSA-2015-0008.1.

Description of the vulnerability

XML data can contain external entities (DTD):
  <!ENTITY name SYSTEM "file">
  <!ENTITY name SYSTEM "http://server/file">
A program which reads these XML data can replace these entities by data coming from the indicated file. When the program uses XML data coming from an untrusted source, this behavior leads to:
 - content disclosure from files of the server
 - private web site scan
 - a denial of service by opening a blocking file
This feature must be disabled to process XML data coming from an untrusted source.

However, the Apache Flex BlazeDS parser allows external entities.

An attacker can therefore transmit malicious XML data to Apache Flex BlazeDS, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-5255

Adobe LiveCycle Data Services: Server Side Request Forgery of BlazeDS

Synthesis of the vulnerability

An attacker can trigger a Server Side Request Forgery in BlazeDS of Adobe LiveCycle Data Services, in order to access to filtered web services.
Impacted products: Adobe LiveCycle.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 18/11/2015.
Identifiers: APSB15-30, CVE-2015-5255, VIGILANCE-VUL-18326.

Description of the vulnerability

The Adobe LiveCycle Data Services product uses BlazeDS to exchange messages in flex-messaging-core.jar.

However, using special XML data, an attacker can force BlazeDS to send a query to a private server. This vulnerability of BlazeDS is described in VIGILANCE-VUL-18568.

An attacker can therefore trigger a Server Side Request Forgery in BlazeDS of Adobe LiveCycle Data Services, in order to access to filtered web services.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-3269

Apache Flex BlazeDS: information disclosure

Synthesis of the vulnerability

An attacker can transmit malicious XML data via BlazeDS to Adobe LiveCycle Data Services, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: Adobe LiveCycle, HPE BSM, HP Operations.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 19/08/2015.
Identifiers: APSB15-20, c05026202, CVE-2015-3269, HPSBGN03550, VIGILANCE-VUL-17710.

Description of the vulnerability

XML data can contain external entities (DTD):
  <!ENTITY name SYSTEM "file">
  <!ENTITY name SYSTEM "http://server/file">
A program which reads these XML data can replace these entities by data coming from the indicated file. When the program uses XML data coming from an untrusted source, this behavior leads to:
 - content disclosure from files of the server
 - private web site scan
 - a denial of service by opening a blocking file
This feature must be disabled to process XML data coming from an untrusted source.

However, the Apache Flex BlazeDS parser allows external entities.

An attacker can therefore transmit malicious XML data to Apache Flex BlazeDS, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2011-2092 CVE-2011-2093

Adobe LiveCycle: two vulnerabilities

Synthesis of the vulnerability

An attacker can use two vulnerabilities of Adobe LiveCycle, in order to create a class or to create a denial of service.
Impacted products: Adobe LiveCycle.
Severity: 3/4.
Consequences: user access/rights, data creation/edition, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 15/06/2011.
Identifiers: APSB11-15, BID-48267, CERTA-2011-AVI-341, CVE-2011-2092, CVE-2011-2093, VIGILANCE-VUL-10747.

Description of the vulnerability

Two vulnerabilities were announced in Adobe LiveCycle.

An attacker can use a AMF/AMFX deserialization, in order to create a class. [severity:3/4; CERTA-2011-AVI-341, CVE-2011-2092]

An attacker can use a complex graph, in order to create a denial of service. [severity:2/4; CVE-2011-2093]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2010-5212 CVE-2010-5213

Adobe LiveCycle: code execution via DLL Preload

Synthesis of the vulnerability

An attacker can use a malicious DLL in order to execute code in Adobe LiveCycle.
Impacted products: Adobe LiveCycle.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 14/09/2010.
Identifiers: BID-43186, CVE-2010-5212, CVE-2010-5213, VIGILANCE-VUL-9928.

Description of the vulnerability

The Adobe LiveCycle program loads several DLL libraries when it starts.

However, these libraries are loaded insecurely. An attacker can thus use the VIGILANCE-VUL-9879 vulnerability to execute code.

An attacker can therefore use a malicious DLL, in order to execute code in the context of Adobe LiveCycle.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2009-3960

Adobe LiveCycle: information disclosure via BlazeDS

Synthesis of the vulnerability

An attacker can use a vulnerability of BlazeDS, in order to read files located on the LiveCycle server.
Impacted products: Adobe LiveCycle.
Severity: 3/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 12/02/2010.
Identifiers: APSB10-05, CVE-2009-3960, VIGILANCE-VUL-9450.

Description of the vulnerability

The BlazeDS technology is used by Java applications to exchange messages and data with a back-end server.

The Adobe LiveCycle service uses BlazeDS.

An attacker can send an XML query to BlazeDS, which contains an external reference. BlazeDS then injects a local file in its answer.

An attacker can therefore use a vulnerability of BlazeDS, in order to read files located on the LiveCycle server.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Adobe LiveCycle: