The default configuration of Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, does not enable the Enhanced Security feature, which has unspecified impact and attack vectors, related to a "script injection vulnerability," as demonstrated by Acrobat Forms Data Format (FDF) behavior that allows cross-site scripting (XSS) by user-assisted remote attackers.
CVSS Vector
AV:N/AC:L/Au:N/C:C/I:C/A:CAdobe Acrobat
APPAdobe3.03.14.04.0.54.0.5a4.0.5c5.05.0.105.0.55.0.66.06.0.16.0.26.0.36.0.4+ 32 więcejAdobe Acrobat Reader
APPAdobe3.03.013.024.04.0.54.0.5a4.0.5c4.55.05.0.105.0.115.0.55.0.65.0.75.0.9+ 35 więcejApple Mac Os X
OSApplewszystkie wersjeMicrosoft Windows
OSMicrosoftwszystkie wersjeUnix
OSUnixwszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
XSS
CWE
References
Related vulnerabilities
CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam produkt
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
CVE-2024-7262CRITICAL9.3⚠ KEVPL ✓ten sam produkt
Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows
CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam produkt
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit