Hotfix for unauthorized elevated access in RoboHelp Server 11

Issue


Adobe has released a security hotfix for RoboHelp Server 11 (Update 3), and prior releases.  This hotfix resolves a security vulnerability that allows end users with non-administrative privileges to manipulate API requests and elevate their account privileges to that of a server administrator.

For more information about the vulnerability, see Adobe Security bulletin (APSB22-31).
 

Solution

 

Alert:

This issue has been fixed in Update 4 of RoboHelp Server. To update RoboHelp Server to the latest version, visit the Download RoboHelp Server page. 

To resolve this issue, perform the following:

Note:

Before making any changes, ensure to take a backup of the database and the /WEB-INF/classes folder of the installation directory. Also, close any working instances of the RoboHelp Server and the Tomcat server. 

  1. Download and extract contents from the below ZIP file.

    Download

  2. Extract the contents of the ZIP file.
    The ZIP contains the following updated files: 

    • WebAdmin.class
    • WebAdminGroup.class
    • WebAdminReport.class 
  3. Navigate to the WEB-INF folder where RoboHelp Server 11 is installed. 
    The default install location is: C:/Program Files/Adobe/Adobe RoboHelp Server 11 

  4. Replace the WebAdmin.class, WebAdminGroup.class, and WebAdminReport.class files under WEB-INF/classes/adobe/robohelp/server/ folder with the updated files extracted in Step 2. 

  5. Restart the Tomcat server. 

Get help faster and easier

New user?