CVE-2007-0044: CSRF
First published: Wed Jan 03 2007(Updated: )
Adobe Acrobat Reader Plugin before 8.0.0 for the Firefox, Internet Explorer, and Opera web browsers allows remote attackers to force the browser to make unauthorized requests to other web sites via a URL in the (1) FDF, (2) xml, and (3) xfdf AJAX request parameters, following the # (hash) character, aka "Universal CSRF and session riding."
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Adobe Acrobat Reader | =7.0.6 | |
| Adobe Acrobat Reader Notification Manager | =7.0.5 | |
| Adobe Acrobat Reader Notification Manager | =7.0.6 | |
| Adobe Acrobat Reader | =7.0 | |
| Adobe Acrobat Reader | =7.0 | |
| Adobe Acrobat Reader Notification Manager | =7.0.8 | |
| Adobe Acrobat Reader | =7.0.5 | |
| Adobe Acrobat Reader Notification Manager | =6.0.3 | |
| Adobe Acrobat Reader | <=7.0.8 | |
| Adobe Acrobat 3D | ||
| Adobe Acrobat Reader Notification Manager | =7.0.7 | |
| Adobe Acrobat Reader | =7.0.3 | |
| Adobe Acrobat Reader | =7.0.4 | |
| Adobe Acrobat Reader | =7.0.6 | |
| Adobe Acrobat Reader | =7.0.5 | |
| Adobe Acrobat Reader Notification Manager | =7.0.3 | |
| Adobe Acrobat Reader | =7.0.2 | |
| Adobe Acrobat Reader Notification Manager | =7.0.1 | |
| Adobe Acrobat Reader Notification Manager | =7.0.2 | |
| Adobe Acrobat Reader Notification Manager | =7.0 | |
| Adobe Acrobat Reader | =7.0.7 | |
| Adobe Acrobat Reader | =7.0.8 | |
| Adobe Acrobat Reader | =7.0.1 | |
| Adobe Acrobat Reader Notification Manager | =6.0.1 | |
| Adobe Acrobat Reader Notification Manager | =6.0.5 | |
| Adobe Acrobat Reader | =7.0.7 | |
| Adobe Acrobat Reader | =7.0.4 | |
| Adobe Acrobat Reader | =7.0.8 | |
| Adobe Acrobat Reader | =7.0.2 | |
| Adobe Acrobat Reader Notification Manager | =6.0 | |
| Adobe Acrobat Reader Notification Manager | =6.0.2 | |
| Adobe Acrobat Reader | =7.0.3 | |
| Adobe Acrobat Reader Notification Manager | =6.0.4 | |
| Adobe Acrobat Reader Notification Manager | <=7.0.8 | |
| Adobe Acrobat Reader Notification Manager | =7.0.4 | |
| Adobe Acrobat Reader | =7.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf
- http://www.wisec.it/vulns.php?page=9
- http://securitytracker.com/id?1017469
- http://www.securityfocus.com/bid/21858
- http://security.gentoo.org/glsa/glsa-200701-16.xml
- http://lists.suse.com/archive/suse-security-announce/2007-Jan/0012.html
- http://secunia.com/advisories/23812
- http://secunia.com/advisories/23882
- http://securityreason.com/securityalert/2090
- http://www.redhat.com/support/errata/RHSA-2008-0144.html
- http://secunia.com/advisories/29065
- http://www.vupen.com/english/advisories/2007/0032
- https://exchange.xforce.ibmcloud.com/vulnerabilities/31266
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10042
- http://www.securityfocus.com/archive/1/455801/100/0/threaded
Frequently Asked Questions
What is the severity of CVE-2007-0044?
CVE-2007-0044 is considered a moderate severity vulnerability that can allow unauthorized requests via AJAX parameters.
How do I fix CVE-2007-0044?
To fix CVE-2007-0044, upgrade to Adobe Acrobat Reader version 8.0.0 or later.
What products are affected by CVE-2007-0044?
CVE-2007-0044 affects multiple versions of Adobe Acrobat and Adobe Acrobat Reader, specifically versions prior to 8.0.0.
Can CVE-2007-0044 lead to data theft?
Yes, CVE-2007-0044 can potentially lead to data theft as it allows attackers to send unauthorized requests to other websites.
Is CVE-2007-0044 exploitable remotely?
Yes, CVE-2007-0044 can be exploited remotely by attackers targeting vulnerable Adobe Acrobat Reader installations.
- agent/type
- agent/remedy
- agent/author
- agent/references
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- agent/weakness
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- vendor/adobe
- canonical/adobe acrobat reader
- version/adobe acrobat reader/7.0.6
- canonical/adobe acrobat reader notification manager
- version/adobe acrobat reader notification manager/7.0.5
- version/adobe acrobat reader notification manager/7.0.6
- version/adobe acrobat reader/7.0
- version/adobe acrobat reader notification manager/7.0.8
- version/adobe acrobat reader/7.0.5
- version/adobe acrobat reader notification manager/6.0.3
- version/adobe acrobat reader/7.0.8
- canonical/adobe acrobat 3d
- version/adobe acrobat reader notification manager/7.0.7
- version/adobe acrobat reader/7.0.3
- version/adobe acrobat reader/7.0.4
- version/adobe acrobat reader notification manager/7.0.3
- version/adobe acrobat reader/7.0.2
- version/adobe acrobat reader notification manager/7.0.1
- version/adobe acrobat reader notification manager/7.0.2
- version/adobe acrobat reader notification manager/7.0
- version/adobe acrobat reader/7.0.7
- version/adobe acrobat reader/7.0.1
- version/adobe acrobat reader notification manager/6.0.1
- version/adobe acrobat reader notification manager/6.0.5
- version/adobe acrobat reader notification manager/6.0
- version/adobe acrobat reader notification manager/6.0.2
- version/adobe acrobat reader notification manager/6.0.4
- version/adobe acrobat reader notification manager/7.0.4