Rapid7 Vulnerability & Exploit Database

Adobe products XML external entity injection vulnerability (CVE-2009-3960)

Back to Search

Adobe products XML external entity injection vulnerability (CVE-2009-3960)

Severity
4
CVSS
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
Published
02/15/2010
Created
07/25/2018
Added
01/05/2011
Modified
02/13/2015

Description

Multiple Adobe server products are vulnerable to an XML external entity injection which allows remote, unauthenticated attackers to read arbitrary files from the system. Affected software includes BlazeDS 3.2 and earlier versions, LiveCycle 9.0, 8.2.1, and 8.0.1, LiveCycle Data Services 3.0, 2.6.1, and 2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2.

Solution(s)

  • patch-http-adobe-amf-gateway-xxe

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;