cbcvebase.
CVE-2007-0044
published 2007-01-03

CVE-2007-0044: Adobe Acrobat Reader Plugin before 8.0.0 for the Firefox, Internet Explorer, and Opera web browsers allows remote attackers to force the browser to make…

PriorityP433medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
55.47%
98.9th percentile
Adobe Acrobat Reader Plugin before 8.0.0 for the Firefox, Internet Explorer, and Opera web browsers allows remote attackers to force the browser to make unauthorized requests to other web sites via a URL in the (1) FDF, (2) xml, and (3) xfdf AJAX request parameters, following the # (hash) character, aka "Universal CSRF and session riding."

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
adobeacrobat<= 7.0.8
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat_reader<= 7.0.8
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.example.com/librariancenter/downloads/Tips_Tricks_85x11.pdf#something=javascript:function%20createXMLHttpRequest(){%20%20%20try{%20return%20new%20ActiveXObject('Msxml2.XMLHTTP');%20}catch(e){}%20%20%20try{%20return%20new%20ActiveXObject('Microsoft.XMLHTTP');%20}catch(e){}%20%20%20try{%20return%20new%20XMLHttpRequest();%20}catch(e){}%20%20%20return%20null;}var%20xhr%20=%20createXMLHttpRequest();xhr.onreadystatechange%20=%20function(){%20%20%20%20if%20(xhr.readyState%20==%204)%20%20%20%20%20%20%20%20alert(xhr.responseText);};xhr.open('GET',%20'http://www.google.com',%20true);xhr.send(null);
  • Monitor HTTP requests originating from the Adobe Reader browser plugin that contain FDF, xml, or xfdf parameters in the URL fragment (after the # character), as these can be used to trigger unauthorized cross-site AJAX requests.
  • Detect PDF URLs in browser traffic where the fragment identifier (#) is followed by FDF=, xml=, or xfdf= parameters pointing to external URLs, indicating a CSRF/session-riding exploitation attempt via the Acrobat Reader plugin.
  • Detect JavaScript execution payloads embedded in PDF URL fragments using the pattern: .pdf#<param>=javascript: — particularly targeting ActiveXObject('Msxml2.XMLHTTP') or XMLHttpRequest instantiation for unauthorized cross-origin requests.
  • ·The vulnerability affects Adobe Acrobat Reader Plugin versions before 8.0.0; versions 6 and 7 (up to and including 7.0.9) are confirmed vulnerable across Firefox, Internet Explorer, and Opera browsers.
  • ·The same CSRF/session-riding effect is achievable using any of three parameter names (FDF, xml, xfdf) in the URL fragment, so detection rules must cover all three variants.

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.