Help Page in multiple Adobe products vulnerable to cross-site scripting


The Help page provided in multiple Adobe products contains a cross-site scripting vulnerability.

Yuji Tounai of bogus.jp reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Adobe Systems, Inc.
  • Adobe Acrobat 9.5.2 and earlier
  • Adobe ColdFusion 8.0.1 and earlier


An arbitrary script may be executed on the user's web browser.

[Update the software]
Update to the latest version of the product according to the information provided by the developer.

According to the developer, the Help pages available on the developer's website were also affected by this vulnerability and fixed these pages as well.
Vendor Information

Adobe Systems, Inc.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-5315

  1. JVN : JVN#84376800
  2. National Vulnerability Database (NVD) : CVE-2014-5315
Revision History

  • [2014/09/12]
      Web page was published
      References : Content was added