CVSS: 10.0EPSS: 65%CPEs: 101EXPL: 0CVE-2009-3955 – acroread: multiple code execution flaws (APSB10-02)
https://notcve.org/view.php?id=CVE-2009-3955
Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted JPC_MS_RGN marker in the Jp2c stream of a JpxDecode encoded data stream, which triggers an integer sign extension that bypasses a sanity check, leading to memory corruption. Adobe Reader y Acrobat versión 9.x anterior a 9.3 y versión 8.x anterior a 8.2 en Windows y Mac OS X, permiten a los atacantes remotos ejecutar código arbitrario por medio de un marcador JPC_MS_RGN creado en la secuencia Jp2c de un flujo de datos codificado JpxDecode, lo que desencadena una extensión de signo entero que omite una comprobación de saneamiento, lo que conduce a la corrupción de memoria. • http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=836 http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html http://secunia.com/advisories/38138 http://secunia.com/advisories/38215 http://www.adobe.com/support/security/bulletins/apsb10-02.html http://www.redhat.com/support/errata/RHSA-2010-0060.html http://www.securityfocus.com/bid/37757 http://www.securitytracker.com/id?1023446 http://www.us-cert.gov/cas/techalerts/TA10-013A.html http:// • CWE-399: Resource Management Errors •
CVSS: 10.0EPSS: 3%CPEs: 102EXPL: 0CVE-2009-3956 – acroread: script injection vulnerability (APSB10-02)
https://notcve.org/view.php?id=CVE-2009-3956
The default configuration of Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, does not enable the Enhanced Security feature, which has unspecified impact and attack vectors, related to a "script injection vulnerability," as demonstrated by Acrobat Forms Data Format (FDF) behavior that allows cross-site scripting (XSS) by user-assisted remote attackers. La configuración por defecto en Adobe Reader y Acrobat v9.x anterior a v9.3, y 8.x anterior a v8.2, sobre Windows y Mac OS X, no soporta adecuadamente la funcionalidad Enhanced Security, que tiene un impacto y vectores de ataque desconocidos relacionados con "una vulnerabilidad de inyección de secuencias de comandos". • http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html http://secunia.com/advisories/38138 http://secunia.com/advisories/38215 http://www.adobe.com/support/security/bulletins/apsb10-02.html http://www.packetstormsecurity.org/1001-exploits/SS-2010-001.txt http://www.redhat.com/support/errata/RHSA-2010-0060.html http://www.securityfocus.com/bid/37763 http://www.securitytracker.com/id?1023446 http://www.stratsec.net/files/SS-2010-001_Stratsec_Acrobat_Script_Injection_ • CWE-16: Configuration •
CVSS: 10.0EPSS: 58%CPEs: 102EXPL: 0CVE-2009-3959 – acroread: multiple code execution flaws (APSB10-02)
https://notcve.org/view.php?id=CVE-2009-3959
Integer overflow in the U3D implementation in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a malformed PDF document. Desbordamiento de entero en la implementación U3D en Adobe Reader y Acrobat v9.x anterior a v9.3, y 8.x anterior a v8.2, sobre Windows y Mac OS X, podría permitir a atacantes ejecutar código de su elección a través de vectores no especificados. • http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html http://secunia.com/advisories/38138 http://secunia.com/advisories/38215 http://www.adobe.com/support/security/bulletins/apsb10-02.html http://www.redhat.com/support/errata/RHSA-2010-0060.html http://www.securityfocus.com/archive/1/508949 http://www.securityfocus.com/bid/37756 http://www.securitytracker.com/id?1023446 http://www.us-cert.gov/cas/techalerts/TA10-013A.html http://www.vupen.com/english/ • CWE-189: Numeric Errors •
CVSS: 9.3EPSS: 97%CPEs: 11EXPL: 4CVE-2009-4324 – Adobe Acrobat and Reader Use-After-Free Vulnerability
https://notcve.org/view.php?id=CVE-2009-4324
Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009. La vulnerabilidad de uso de la memoria previamente liberada (Use-after-free) en la función Doc.media.newPlayer en el archivo Multimedia.api en Adobe Reader y Acrobat versión 9.x anterior a 9.3, y versión 8.x anterior a 8.2 en Windows y Mac OS X, permite a los atacantes remotos ejecutar código arbitrario por medio de un archivo PDF creado utilizando una transmisión comprimida ZLib, tal como se explotó “in the wild” en diciembre de 2009. Use-after-free vulnerability in Adobe Acrobat and Reader allows remote attackers to execute code via a crafted PDF file. • https://www.exploit-db.com/exploits/16503 https://www.exploit-db.com/exploits/16623 https://www.exploit-db.com/exploits/10618 http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html http://contagiodump.blogspot.com/2009/12/virustotal-httpwww.html http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html http://osvdb.org/60980 http://secunia.com/advisories/37690 http://secunia.com/advisories/38138 http://secunia.com/advisories/38215 http:&# • CWE-416: Use After Free •
CVSS: 4.3EPSS: 0%CPEs: 50EXPL: 0CVE-2009-2992
https://notcve.org/view.php?id=CVE-2009-2992
An unspecified ActiveX control in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 does not properly validate input, which allows attackers to cause a denial of service via unknown vectors. Un control ActiveX no especificado en Adobe Reader y Acrobat v9.x anteriores a v9.2, v8.x anteriores a v8.1.7 y posiblemente en v7.x anteriores a v7.1.4 no validan adecuadamente la entrada, permitiendo a atacantes provocar una denegación de servicio mediante vectores no especificados. • http://securitytracker.com/id?1023007 http://www.adobe.com/support/security/bulletins/apsb09-15.html http://www.securityfocus.com/bid/36638 http://www.us-cert.gov/cas/techalerts/TA09-286B.html http://www.vupen.com/english/advisories/2009/2898 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6054 • CWE-20: Improper Input Validation •