Request a Demo
Rewterz
Rewterz Threat Alert – ZLoader Banking Trojan – Active IOCs
September 16, 2021
Rewterz
Rewterz Threat Advisory – ICS : Multiple Siemens Vulnerabilities
September 16, 2021

Rewterz Threat Advisory – Multiple Adobe Vulnerabilities

Severity

High

Analysis Summary

CVE-2021-40714 ; CVE-2021-40711

Adobe Experience Manager (AEM) is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2021-40713

Adobe Experience Manager (AEM) could allow a remote attacker to bypass security restrictions, caused by the improper certificate validation. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to bypass the security feature.

CVE-2021-40712

Adobe Experience Manager (AEM) is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service.

CVE-2021-40708

Adobe Genuine Service could allow a remote authenticated attacker to gain elevated privileges on the system, caused by the creation of a temporary file in the directory with incorrect permissions. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to gain elevated privileges on the system.

CVE-2021-39826

Adobe Digital Editions could allow a remote attacker to execute arbitrary code on the system, caused by an OS command injection vulnerability. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2021-39827

Adobe Digital Editions could allow a remote attacker to gain elevated privileges on the system, caused by the creation of temporary file in directory with incorrect permissions. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to gain elevated privileges on the system.

CVE-2021-39828

Adobe Digital Editions could allow a remote authenticated attacker to gain elevated privileges on the system, caused by the creation of temporary file in directory with incorrect permissions. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to gain elevated privileges on the system.

CVE-2021-39825

Adobe Photoshop Elements could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write error. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.

CVE-2021-28613

Adobe Creative Cloud Desktop Application could allow a local authenticated attacker to execute arbitrary code on the system, caused by the creation of a temporary file in directory with incorrect permissions. By executing a specially crafted application, an attacker could exploit this vulnerability to write arbitrary files and execute arbitrary code on the system.

CVE-2021-40699

Adobe ColdFusion could allow a remote authenticated attacker to execute arbitrary code on the system, caused by the use of inherently dangerous function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2021-40716

Adobe XMP-Toolkit-SDK could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to read arbitrary files on the system.

Impact

  • Cross-Site Scripting
  • Security Bypass
  • Denial of Services
  • Privilege Escalation
  • Code Execution
  • Information Disclosure

Affected Vendors

  • Adobe
  • Adobe Photoshop
  • Adobe Creative Cloud

Affected Products

  • Adobe Experience Manager Cloud Service (CS)
  • Adobe Experience Manager 6.5.8.0
  • Adobe Genuine Service 7.3
  • Adobe Digital Editions 4.5.11.187646
  • Adobe Photoshop Elements 2021 [build 19.0 (20210304.m.156367)
  • Adobe Creative Cloud Desktop Application 5.4
  • Adobe ColdFusion 2018 Update 11
  • Adobe ColdFusion 2021 Version 1
  • Adobe XMP-Toolkit-SDK 2021.07

Remediation

Refer to Adobe Experience Manager for patch, upgrade, or suggested workaround information.

https://helpx.adobe.com/security/products/experience-manager/apsb21-82.html

Refer to Adobe Genuine Service for patch, upgrade, or suggested workaround information.

https://helpx.adobe.com/security/products/integrity_service/apsb21-81.html

Refer to Adobe Digital Editions for patch, upgrade, or suggested workaround information.

https://helpx.adobe.com/security/products/Digital-Editions/apsb21-80.html

Refer to Adobe Photoshop Elements for patch, upgrade, or suggested workaround information.

https://helpx.adobe.com/security/products/photoshop_elements/apsb21-77.html

Refer to AdobeCreative Cloud Desktop Application for patch, upgrade, or suggested workaround information.

https://helpx.adobe.com/security/products/creative-cloud/apsb21-76.html

Refer to Adobe ColdFusion for patch, upgrade, or suggested workaround information.

https://helpx.adobe.com/security/products/coldfusion/apsb21-75.html

Refer to Adobe XMP-Toolkit-SDK for patch, upgrade, or suggested workaround information.

https://helpx.adobe.com/security/products/xmpcore/apsb21-85.html