CVE-2011-2133 in RoboHelp Serverinfo

Summary

by MITRE

Cross-site scripting (XSS) vulnerability in Adobe RoboHelp 8 and 9 before 9.0.1.262, and RoboHelp Server 8 and 9, allows remote attackers to inject arbitrary web script or HTML via the URI, related to template_stock/whutils.js.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 01/12/2025

The vulnerability identified as CVE-2011-2133 represents a critical cross-site scripting flaw affecting Adobe RoboHelp versions 8 and 9, along with RoboHelp Server 8 and 9, prior to patch version 9.0.1.262. This security weakness resides within the web-based help system component that processes user input through URI parameters, specifically through the template_stock/whutils.js file. The flaw enables remote attackers to execute malicious scripts in the context of the victim's browser, potentially leading to unauthorized actions or data theft.

The technical implementation of this vulnerability stems from inadequate input validation and output sanitization within the RoboHelp application's JavaScript processing mechanism. When users navigate to specific URIs containing malicious payloads, the whutils.js file fails to properly escape or filter the input parameters before rendering them within the web interface. This allows attackers to inject arbitrary HTML or JavaScript code that executes in the victim's browser session, exploiting the trust relationship between the user and the web application.

From an operational impact perspective, this vulnerability poses significant risks to organizations relying on Adobe RoboHelp for documentation management and user assistance systems. Attackers could leverage this flaw to perform session hijacking, steal sensitive information, deface web pages, or redirect users to malicious sites. The vulnerability affects both the desktop help authoring tool and the server component, expanding the potential attack surface and making it particularly dangerous for enterprise environments where documentation systems are widely deployed.

The security implications of CVE-2011-2133 align with CWE-79, which describes Cross-Site Scripting vulnerabilities, and can be mapped to ATT&CK technique T1566.001 for credential access through spearphishing attachments and T1059.007 for script-based execution. Organizations utilizing affected RoboHelp versions should prioritize immediate patching to remediate this vulnerability, as the lack of input sanitization creates persistent exposure to client-side attacks. The remediation process requires updating to Adobe RoboHelp 9.0.1.262 or later versions, which incorporate proper input validation mechanisms and enhanced output encoding to prevent malicious script injection attempts.

Reservation

05/13/2011

Disclosure

08/11/2011

Moderation

accepted

Entry

VDB-58264

CPE

ready

Exploit

Download

EPSS

0.02985

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!