Adobe Reader SharedReviewDocCenterInitiator JS API绕过漏洞 (CVE-2015-3066)

Adobe Acrobat Reader SharedReviewDocCenterInitiator onError Javascript API Restrictions Bypass Vulnerability Key Information Advisory IDs: ZDI-15-200, ZDI-CAN-2690 CVE ID: CVE-2015-3066 CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Affected Vendor: Adobe Affected Product: Reader Vulnerability Details Description: This vulnerability allows remote attackers to bypass API restrictions on vulnerable installations of Adobe Reader. The specific flaw exists within the SharedReviewDocCenterInitiator onError event. By creating a specially crafted PDF with specific JavaScript instructions, it is possible to bypass the JavaScript API restrictions. A remote attacker could exploit this vulnerability to execute arbitrary code. User Interaction: Required to exploit this vulnerability (e.g., visiting a malicious page or opening a malicious file). Additional Details Adobe has issued an update to correct this vulnerability. More details can be found at: https://helpx.adobe.com/security/products/reader/apsb15-10.html Disclosure Timeline 2015-01-20: Vulnerability reported to vendor 2015-05-12: Coordinated public release of advisory Credit AbdulAziz Hariri - HP Zero Day Initiative

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

Adobe Reader SharedReviewDocCenterInitiator JS API绕过漏洞 (CVE-2015-3066)

目标达成感谢每一位支持者 — 我们达成了 100% 目标！