Vulnerability Details : CVE-2007-0045
Potential exploit
Multiple cross-site scripting (XSS) vulnerabilities in Adobe Acrobat Reader Plugin before 8.0.0, and possibly the plugin distributed with Adobe Reader 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2, for Mozilla Firefox, Microsoft Internet Explorer 6 SP1, Google Chrome, Opera 8.5.4 build 770, and Opera 9.10.8679 on Windows allow remote attackers to inject arbitrary JavaScript and conduct other attacks via a .pdf URL with a javascript: or res: URI with (1) FDF, (2) XML, and (3) XFDF AJAX parameters, or (4) an arbitrarily named name=URI anchor identifier, aka "Universal XSS (UXSS)."
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2007-0045
- cpe:2.3:a:adobe:acrobat_reader:*:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:6.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:7.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:6.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:7.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:7.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:7.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:7.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:6.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:7.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:*:*:elements:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:7.0.1:*:standard:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:7.0.2:*:professional:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:7.0.5:*:standard:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:7.0.6:*:professional:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:7.0.3:*:standard:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:7.0.4:*:professional:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:7.0.7:*:standard:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:7.0.8:*:professional:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:7.0.8:*:standard:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:7.0.2:*:standard:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:7.0.3:*:professional:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:7.0.6:*:standard:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:7.0.7:*:professional:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:7.0.1:*:professional:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:7.0.4:*:standard:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:7.0.5:*:professional:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:7.0:*:professional:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:7.0:*:standard:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_3d:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2007-0045
68.98%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2007-0045
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2007-0045
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2007-0045
-
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102847-1
-
http://www.vupen.com/english/advisories/2007/0032
Vendor Advisory
-
http://securitytracker.com/id?1017469
-
http://www.securityfocus.com/archive/1/455800/100/0/threaded
-
http://www.kb.cert.org/vuls/id/815960
Third Party Advisory;US Government Resource
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9693
-
http://securitytracker.com/id?1023007
-
http://www.gnucitizen.org/blog/danger-danger-danger/
Exploit;Vendor Advisory
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6487
-
http://www.adobe.com/support/security/advisories/apsa07-02.html
-
http://www.adobe.com/support/security/bulletins/apsb07-01.html
-
http://googlechromereleases.blogspot.com/2009/01/stable-beta-update-yahoo-mail-and.html
-
http://www.securityfocus.com/archive/1/455831/100/0/threaded
Exploit
-
http://www.securityfocus.com/archive/1/455790/100/0/threaded
Exploit
-
http://www.adobe.com/support/security/bulletins/apsb09-15.html
Adobe - Security Bulletin APSB09-15 Security Updates Available for Adobe Reader and Acrobat
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/31271
-
http://www.securityfocus.com/archive/1/455906/100/0/threaded
-
http://www.vupen.com/english/advisories/2007/0957
Vendor Advisory
-
http://www.securityfocus.com/archive/1/455836/100/0/threaded
-
http://www.redhat.com/support/errata/RHSA-2007-0021.html
-
http://www.securityfocus.com/archive/1/455801/100/0/threaded
-
https://rhn.redhat.com/errata/RHSA-2007-0017.html
-
http://www.securityfocus.com/bid/21858
-
http://security.gentoo.org/glsa/glsa-200701-16.xml
-
http://lists.suse.com/archive/suse-security-announce/2007-Jan/0012.html
-
http://securityreason.com/securityalert/2090
-
http://www.vupen.com/english/advisories/2009/2898
Vendor Advisory
-
http://www.mozilla.org/security/announce/2007/mfsa2007-02.html
-
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.338131
-
http://www.wisec.it/vulns.php?page=9
Exploit;Patch
-
http://www.gnucitizen.org/blog/universal-pdf-xss-after-party
-
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
-
http://www.disenchant.ch/blog/hacking-with-browser-plugins/34
Exploit
-
http://www.us-cert.gov/cas/techalerts/TA09-286B.html
US Government Resource
-
http://www.adobe.com/support/security/advisories/apsa07-01.html
Vendor Advisory
Jump to