CVSS: 8.8EPSS: 4%CPEs: 38EXPL: 0CVE-2016-0943 – Adobe Reader DC Global Javascript API Restrictions Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2016-0943
Adobe Reader and Acrobat before 11.0.14, Acrobat and Acrobat Reader DC Classic before 15.006.30119, and Acrobat and Acrobat Reader DC Continuous before 15.010.20056 on Windows and OS X mishandle the Global object, which allows attackers to bypass JavaScript API execution restrictions via unspecified vectors. Adobe Reader y Acrobat en versiones anteriores a 11.0.14, Acrobat y Acrobat Reader DC Classic en versiones anteriores a 15.006.30119 y Acrobat y Acrobat Reader DC Continuous en versiones anteriores a 15.010.20056 en Windows y OS X no maneja adecuadamente el objeto Global, lo que permite a atacantes eludir las restricciones de ejecución de la API JavaScript a través de vectores no especificados. This vulnerability allows remote attackers to bypass API restrictions on vulnerable installations of Adobe Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Global object. By creating a specially crafted PDF with specific JavaScript instructions, it is possible to bypass the JavaScript API restrictions. • http://www.securitytracker.com/id/1034646 http://zerodayinitiative.com/advisories/ZDI-16-012 https://helpx.adobe.com/security/products/acrobat/apsb16-02.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 3%CPEs: 38EXPL: 0CVE-2016-0931 – Adobe Reader DC FileAttachment point Use-After-Free Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2016-0931
Adobe Reader and Acrobat before 11.0.14, Acrobat and Acrobat Reader DC Classic before 15.006.30119, and Acrobat and Acrobat Reader DC Continuous before 15.010.20056 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted FileAttachment annotation, a different vulnerability than CVE-2016-0933, CVE-2016-0936, CVE-2016-0938, CVE-2016-0939, CVE-2016-0942, CVE-2016-0944, CVE-2016-0945, and CVE-2016-0946. Adobe Reader y Acrobat en versiones anteriores a 11.0.14, Acrobat y Acrobat Reader DC Classic en versiones anteriores a 15.006.30119 y Acrobat y Acrobat Reader DC Continuous en versiones anteriores a 15.010.20056 en Windows y OS X permite a atacantes ejecutar código arbitrario o causar una denegación de servicio (corrupción de memoria) a través de una anotación FileAttachment manipulada, una vulnerabilidad diferente a CVE-2016-0933, CVE-2016-0936, CVE-2016-0938, CVE-2016-0939, CVE-2016-0942, CVE-2016-0944, CVE-2016-0945 y CVE-2016-0946. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw exists within the handling of FileAttachment annotations. By setting the point attribute to a specific array, an attacker can force a dangling pointer to be reused after it has been freed. • http://www.securitytracker.com/id/1034646 http://zerodayinitiative.com/advisories/ZDI-16-009 https://helpx.adobe.com/security/products/acrobat/apsb16-02.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 8.8EPSS: 3%CPEs: 38EXPL: 0CVE-2016-0939 – Adobe Acrobat Reader DC Uninitialized Memory Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2016-0939
Adobe Reader and Acrobat before 11.0.14, Acrobat and Acrobat Reader DC Classic before 15.006.30119, and Acrobat and Acrobat Reader DC Continuous before 15.010.20056 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (uninitialized pointer dereference and memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-0931, CVE-2016-0933, CVE-2016-0936, CVE-2016-0938, CVE-2016-0942, CVE-2016-0944, CVE-2016-0945, and CVE-2016-0946. Adobe Reader y Acrobat en versiones anteriores a 11.0.14, Acrobat y Acrobat Reader DC Classic en versiones anteriores a 15.006.30119 y Acrobat y Acrobat Reader DC Continuous en versiones anteriores a 15.010.20056 en Windows y OS X permiten a atacantes ejecutar código arbitrario o causar una denegación de servicio (referencia a puntero no inicializado y corrupción de memoria) a través de vectores no especificados, una vulnerabilidad diferente a CVE-2016-0931, CVE-2016-0933, CVE-2016-0936, CVE-2016-0938, CVE-2016-0942, CVE-2016-0944, CVE-2016-0945 y CVE-2016-0946. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of PDF files. By providing a malformed PDF file, an attacker can cause uninitialized memory to be dereferenced. • http://www.securitytracker.com/id/1034646 http://zerodayinitiative.com/advisories/ZDI-16-015 https://helpx.adobe.com/security/products/acrobat/apsb16-02.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.3EPSS: 17%CPEs: 38EXPL: 0CVE-2016-0937 – Adobe Acrobat Pro DC OCG Use-After-Free Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2016-0937
Use-after-free vulnerability in the OCG object implementation in Adobe Reader and Acrobat before 11.0.14, Acrobat and Acrobat Reader DC Classic before 15.006.30119, and Acrobat and Acrobat Reader DC Continuous before 15.010.20056 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0932, CVE-2016-0934, CVE-2016-0940, and CVE-2016-0941. Vulnerabilidad de uso después de liberación de memoria en la implementación del objeto OCG en Adobe Reader y Acrobat en versiones anteriores a 11.0.14, Acrobat y Acrobat Reader DC Classic en versiones anteriores a 15.006.30119 y Acrobat y Acrobat Reader DC Continuous en versiones anteriores a 15.010.20056 en Windows y OS X permite a atacantes ejecutar código arbitrario a través de vectores no especificados, una vulnerabilidad diferente a CVE-2016-0932, CVE-2016-0934, CVE-2016-0940 y CVE-2016-0941. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of OCG objects. A specially crafted PDF with a specific OCG action can force a dangling pointer to be reused after it has been freed. • http://www.securitytracker.com/id/1034646 http://zerodayinitiative.com/advisories/ZDI-16-011 https://helpx.adobe.com/security/products/acrobat/apsb16-02.html •
CVSS: 6.4EPSS: 0%CPEs: 20EXPL: 0CVE-2014-9150
https://notcve.org/view.php?id=CVE-2014-9150
Race condition in the MoveFileEx call hook feature in Adobe Reader and Acrobat 11.x before 11.0.09 on Windows allows attackers to bypass a sandbox protection mechanism, and consequently write to files in arbitrary locations, via an NTFS junction attack, a similar issue to CVE-2014-0568. Condición de carrera en la caracteristica 'MoveFileEx call hook' en Adobe Reader and Acrobat 11.x anterior a 11.0.09 en Windows permite a atacantes remotos evadir el mecanismo de protección de sandbox, y como consecuencia escribir a ficheros en localizaciones arbitrarias, a través de un ataque de unión NTFS, un problema similar a CVE-2014-0568. • http://helpx.adobe.com/security/products/reader/apsb14-28.html https://code.google.com/p/google-security-research/issues/detail?id=103 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •