====================================================================

                              CERT-Renater

                 Note d'Information No. 2017/VULN253
_____________________________________________________________________

DATE                : 13/09/2017

HARDWARE PLATFORM(S):  /

OPERATING SYSTEM(S): Systems running Adobe RoboHelp versions prior to
                           RH2017.0.2, RH12.0.4.460 (Hotfix).

=====================================================================
https://helpx.adobe.com/security/products/robohelp/apsb17-25.html
____________________________________________________________________

 Security update available for RoboHelp | APSB17-25

Bulletin ID 	Date Published 	Priority
APSB17-25 	September 12, 2017 	3


Summary

Adobe has released a security update for RoboHelp for Windows. This
update resolves an important input validation vulnerability that could
be used in a cross-site scripting attack (CVE-2017-3104), as well as an
unvalidated URL redirect vulnerability rated moderate that could be
used in phishing campaigns (CVE-2017-3105).


Affected product versions

Product 	Version 	                        Platform
RoboHelp 	RH2017.0.1 and earlier versions 	Windows
RoboHelp 	RH12.0.4.460 and earlier versions 	Windows


Solution


Adobe categorizes these updates with the following priority ratings and
recommends users update their installation to the newest version:

Product     Version      Platform 	Priority        Availability

RoboHelp 	RH2017.0.2	        Windows  3      Download
RoboHelp 	RH12.0.4.460 (Hotfix)	Windows  3 	Technical Note

Note:

    Refer to the Release notes for instructions to download and apply
the update.
    Refer to the Knowledge Base article for instructions to download
and apply the fix on RoboHelp 2015.


Vulnerability details

Vulnerability Category 	  Vulnerability Impact   Severity   CVE Numbers

Improper Neutralization of Input During Web Page Generation 	DOM-based
cross-site scripting attack 	Important 	CVE-2017-3104

Improper Neutralization of Input During Web Page Generation 	Open
Redirect attack 	Moderate 	CVE-2017-3105


Acknowledgments

Adobe would like to thank Reynold Regan of CNSI - Center for Technology
& Innovation, Chennai for reporting both issues and for working with
Adobe to help protect our customers.


==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================