7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.033 Low
EPSS
Percentile
91.4%
The version of Adobe Experience Manager installed on the remote host is either 5.6.1, 6.0.0, or 6.1.0. It is, therefore, affected by multiple vulnerabilities as referenced in the APSB16-05 advisory.
Adobe Experience Manager version 6.1 is affected by a cross-site scripting vulnerability that could lead to information disclosure. Apply hot fix 8651 to resolve. (CVE-2016-0955)
Adobe Experience Manager version 5.6.1, 6.0, or 6.1 is affected by an information disclosure vulnerability affecting Apache Sling Servlets Post 2.3.6 and earlier versions. Apply hot fix 6445 to resolve. (CVE-2016-0956)
Adobe Experience Manager version 5.6.1, 6.0, or 6.1 is affected by a URL filter bypass vulnerability that could be used to circumvent dispatcher rules. Install Dispatcher 4.1.5 or higher to resolve. (CVE-2016-0957)
Adobe Experience Manager version 5.6.1, 6.0, or 6.1 is affected by a Java deserialization issue. Apply hot fix 8364 to resolve. (CVE-2016-0958)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(181454);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/15");
script_cve_id(
"CVE-2016-0955",
"CVE-2016-0956",
"CVE-2016-0957",
"CVE-2016-0958"
);
script_name(english:"Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0 Multiple Vulnerabilities (APSB16-05)");
script_set_attribute(attribute:"synopsis", value:
"The Adobe Experience Manager instance installed on the remote host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of Adobe Experience Manager installed on the remote host is either 5.6.1, 6.0.0, or 6.1.0.
It is, therefore, affected by multiple vulnerabilities as referenced in the APSB16-05 advisory.
- Adobe Experience Manager version 6.1 is affected by a cross-site scripting vulnerability that
could lead to information disclosure. Apply hot fix 8651 to resolve. (CVE-2016-0955)
- Adobe Experience Manager version 5.6.1, 6.0, or 6.1 is affected by an information disclosure
vulnerability affecting Apache Sling Servlets Post 2.3.6 and earlier versions. Apply hot fix 6445
to resolve. (CVE-2016-0956)
- Adobe Experience Manager version 5.6.1, 6.0, or 6.1 is affected by a URL filter bypass vulnerability
that could be used to circumvent dispatcher rules. Install Dispatcher 4.1.5 or higher to resolve.
(CVE-2016-0957)
- Adobe Experience Manager version 5.6.1, 6.0, or 6.1 is affected by a Java deserialization issue.
Apply hot fix 8364 to resolve. (CVE-2016-0958)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://helpx.adobe.com/security/products/experience-manager/apsb16-05.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?43036e1a");
script_set_attribute(attribute:"solution", value:
"Apply hot fixes 6445, 8651, 8364 and install Dispatcher 4.1.5 or upgrade to Adobe Experience Manager version 6.2 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-0958");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/02/09");
script_set_attribute(attribute:"patch_publication_date", value:"2016/02/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/14");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:experience_manager");
script_set_attribute(attribute:"generated_plugin", value:"former");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("adobe_experience_manager_http_detect.nbin", "adobe_experience_manager_installed.nbin");
script_require_keys("installed_sw/Adobe Experience Manager");
exit(0);
}
include('vcf.inc');
var app = 'Adobe Experience Manager';
var app_info = vcf::combined_get_app_info(app:app);
var constraints = [
{ 'min_version' : '5.6.1', 'fixed_version' : '6.2' }
];
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE
);
Vendor | Product | Version | CPE |
---|---|---|---|
adobe | experience_manager | cpe:/a:adobe:experience_manager |
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.033 Low
EPSS
Percentile
91.4%