CVE-2009-3960
CVE-2009-3960
In short
BlazeDS and related Adobe products contain a vulnerability that allows attackers to extract sensitive information by manipulating XML requests with injected tags and external entity references. This could expose confidential data if an attacker sends a specially crafted request to the affected system.
Technical detail
An unspecified vulnerability in BlazeDS 3.2 and earlier versions (affecting LiveCycle, Flex Data Services, and ColdFusion) permits remote attackers to retrieve sensitive information through XML external entity (XXE) injection and tag injection vectors. The attack requires sending a malformed XML request but does not necessitate authentication, allowing information disclosure.
Summary generated and translated by AI from the official description.
Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Affected products
n/a · n/apublic PoCs found — 3
cve_referencewww.exploit-db.com/exploits/41855/unverifiedexploitdbwww.exploit-db.com/exploits/11529unverifiedexploitdbwww.exploit-db.com/exploits/41855unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://secunia.com/advisories/38543http://securitytracker.com/id?1023584https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-3960https://www.exploit-db.com/exploits/41855/http://www.adobe.com/support/security/bulletins/apsb10-05.htmlhttp://www.osvdb.org/62292http://www.securityfocus.com/bid/38197