CVE-2009-3956 — Cross-site Scripting in Adobe Acrobat

CWE-165 documents5 sources

Severity

10.0CRITICALNVD

EPSS

5.1%

top 10.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Adobe Acrobat Adobe Acrobat Reader

Timeline

PublishedJan 13

Latest updateMay 2

Description

The default configuration of Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, does not enable the Enhanced Security feature, which has unspecified impact and attack vectors, related to a "script injection vulnerability," as demonstrated by Acrobat Forms Data Format (FDF) behavior that allows cross-site scripting (XSS) by user-assisted remote attackers.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages2 packages

▶NVDadobe/acrobat_reader9.2+49

▶NVDadobe/acrobat9.2+46

Patches

Patch: www.adobe.com ↗Patch: www.adobe.com ↗

🔴Vulnerability Details

GHSA

GHSA-27hw-76jw-48hx: The default configuration of Adobe Reader and Acrobat 9↗2022-05-02

▶

🔍Detection Rules

Suricata

ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt↗2010-07-30

▶

📋Vendor Advisories

Red Hat

acroread: script injection vulnerability (APSB10-02)↗2010-01-12

▶

💬Community

Bugzilla

CVE-2009-3956 acroread: script injection vulnerability (APSB10-02)↗2010-01-11

▶