Unrated severityNVD Advisory· Published Apr 14, 2010· Updated Apr 29, 2026

CVE-2010-0190

Description

Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting vulnerability in Adobe Reader and Acrobat 9.x before 9.3.2 and 8.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted PDF.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in Adobe Reader and Acrobat versions 9.x prior to 9.3.2 and 8.x prior to 8.2.2 on Windows and Mac OS X. The flaw allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a specially crafted PDF file [1]. The vulnerability is present in the browser plug-in that automatically opens PDF documents hosted on websites.

Exploitation

An attacker can exploit this vulnerability by convincing a user to open a malicious PDF file. The PDF may be hosted on a website and automatically opened via the Adobe Reader browser plug-in, requiring no user interaction beyond visiting the site. No authentication or special network position is needed; the attack is remote and can be delivered through email links or web pages [1].

Impact

Successful exploitation allows the attacker to inject arbitrary web script or HTML into the user's browser session in the context of the affected application. This can lead to information disclosure, session hijacking, or other client-side attacks, depending on the user's privileges and the environment [1].

Mitigation

Adobe released updates in Security Bulletin APSB10-09 to address this issue. Users should upgrade to Adobe Reader 9.3.2 or 8.2.2, or Adobe Acrobat 9.3.2 or 8.2.2. As a workaround, disabling JavaScript in Adobe Reader and Acrobat (Edit -> Preferences -> JavaScript, uncheck "Enable Acrobat JavaScript") may prevent some exploits [1]. No standalone installers are provided; users must first install the base version and then apply the update.

References

Adobe Reader and Acrobat Vulnerabilities | CISA

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Adobe Inc./Acrobat20 versions
cpe:2.3:a:adobe:acrobat:8.0:*:*:*:*:*:*:*+ 19 more
- cpe:2.3:a:adobe:acrobat:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:8.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:8.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:8.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:8.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:8.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:8.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:8.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:8.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:8.2:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:8.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:9.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:9.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:9.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:9.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:9.2:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:9.3:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat:9.3.1:*:*:*:*:*:*:*
- (no CPE)range: >=8.0, <8.2.2 || >=9.0, <9.3.2
Adobe Inc./Acrobat Reader17 versions
cpe:2.3:a:adobe:acrobat_reader:8.0:*:*:*:*:*:*:*+ 16 more
- cpe:2.3:a:adobe:acrobat_reader:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:8.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:8.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:8.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:8.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:8.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:8.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:8.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:8.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:9.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:9.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:9.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:9.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:9.2:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:9.3:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:9.3.1:*:*:*:*:*:*:*
Adobe Inc./Readerllm-fuzzy
Range: >=8.0, <8.2.2 || >=9.0, <9.3.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.adobe.com/support/security/bulletins/apsb10-09.htmlnvdPatchVendor Advisory
www.vupen.com/english/advisories/2010/0873nvdPatchVendor Advisory
www.us-cert.gov/cas/techalerts/TA10-103C.htmlnvdUS Government Resource
www.securityfocus.com/bid/39329nvd
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6986nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000