Summary Name: Adobe LiveCycle Workflow XSS Vulnerability Release Date: 11 March 2008 Reference: LSD002-2008 CVE Number: CVE-2008-1202 Discover: Dave Lewis Vendor: Adobe Systems Product: LiveCycle Workflow 6.2 Management Web Interface Systems Affected: version 6.2 (as tested) NB. Other versions may be affected. Risk: Important Status: Published Reference: 1) http://www.liquidmatrix.org/blog/2008/03/11/advisory-adobe-livecycle-wor kflow-xss-vulnerability/ 2) http://www.adobe.com/support/security/bulletins/apsb08-10.html Time Line Discovered: 16 January 2008 Reported: 16 January 2008 Fixed: 5 March 2008 Patch Release: 11 March 2008 Published: 11 March 2008 Description The Adobe LiveCycle Workflow management login page contains a vulnerability which is susceptible to a cross site scripting (XSS) attack. Impact: a remote attacker could execute a XSS attack that could pass arbitrary html to the user and capture usernames/passwords. Technical Details Input passed to the URL of the web management login page is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user?s browser session in context of an affected site. Fix Information This issue has been resolved. The patch may be obtained from: http://www.adobe.com/go/supportportal Liquidmatrix Security Digest http://www.liquidmatrix.org/blog/ 2255B Queen Street East suite 156 Toronto, Ontario Canada M4E 1G3