CVE-2007-0045

medium

Description

Multiple cross-site scripting (XSS) vulnerabilities in Adobe Acrobat Reader Plugin before 8.0.0, and possibly the plugin distributed with Adobe Reader 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2, for Mozilla Firefox, Microsoft Internet Explorer 6 SP1, Google Chrome, Opera 8.5.4 build 770, and Opera 9.10.8679 on Windows allow remote attackers to inject arbitrary JavaScript and conduct other attacks via a .pdf URL with a javascript: or res: URI with (1) FDF, (2) XML, and (3) XFDF AJAX parameters, or (4) an arbitrarily named name=URI anchor identifier, aka "Universal XSS (UXSS)."

References

https://rhn.redhat.com/errata/RHSA-2007-0017.html

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9693

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6487

https://exchange.xforce.ibmcloud.com/vulnerabilities/31271

http://www.vupen.com/english/advisories/2009/2898

http://www.vupen.com/english/advisories/2007/0957

http://www.vupen.com/english/advisories/2007/0032

http://www.us-cert.gov/cas/techalerts/TA09-286B.html

http://www.securityfocus.com/bid/21858

http://www.securityfocus.com/archive/1/455906/100/0/threaded

http://www.securityfocus.com/archive/1/455836/100/0/threaded

http://www.securityfocus.com/archive/1/455801/100/0/threaded

http://www.securityfocus.com/archive/1/455800/100/0/threaded

http://www.redhat.com/support/errata/RHSA-2007-0021.html

http://www.mozilla.org/security/announce/2007/mfsa2007-02.html

http://www.kb.cert.org/vuls/id/815960

http://www.gnucitizen.org/blog/universal-pdf-xss-after-party

http://www.adobe.com/support/security/bulletins/apsb09-15.html

http://www.adobe.com/support/security/bulletins/apsb07-01.html

http://www.adobe.com/support/security/advisories/apsa07-02.html

http://www.adobe.com/support/security/advisories/apsa07-01.html

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102847-1

http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.338131

http://securitytracker.com/id?1023007

http://securitytracker.com/id?1017469

http://securityreason.com/securityalert/2090

http://security.gentoo.org/glsa/glsa-200701-16.xml

http://secunia.com/advisories/33754

http://secunia.com/advisories/24533

http://secunia.com/advisories/24457

http://secunia.com/advisories/23882

http://secunia.com/advisories/23877

http://secunia.com/advisories/23812

http://secunia.com/advisories/23691

http://secunia.com/advisories/23483

http://lists.suse.com/archive/suse-security-announce/2007-Jan/0012.html

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742

http://googlechromereleases.blogspot.com/2009/01/stable-beta-update-yahoo-mail-and.html

http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf

Details

Source: Mitre, NVD

Published: 2007-01-03

Updated: 2018-10-16

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium