SideWinder APT Group aka Rattlesnake – Active IOCs
October 14, 2024Casio Confirms Ransomware Attack Stole Customer Data
October 14, 2024SideWinder APT Group aka Rattlesnake – Active IOCs
October 14, 2024Casio Confirms Ransomware Attack Stole Customer Data
October 14, 2024Severity
High
Analysis Summary
CVE-2024-47415 CVSS:7.8
Animate versions 23.0.7, 24.0.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2024-47414 CVSS:7.8
Animate versions 23.0.7, 24.0.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2024-47413 CVSS:7.8
Animate versions 23.0.7, 24.0.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2024-47412 CVSS:7.8
Animate versions 23.0.7, 24.0.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2024-47411 CVSS:7.8
Animate versions 23.0.7, 24.0.4 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2024-47410 CVSS:7.8
Animate versions 23.0.7, 24.0.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2024-45153 CVSS:5.4
Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
CVE-2024-45152 CVSS:7.8
Substance3D - Stager versions 3.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2024-45150 CVSS:7.8
Dimension versions 4.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2024-45149 CVSS:4.3
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on confidentiality. Exploitation of this issue does not require user interaction.
CVE-2024-45148 CVSS:8.8
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to gain unauthorized access without proper credentials. Exploitation of this issue does not require user interaction.
CVE-2024-45146 CVSS:7.8
Dimension versions 4.0.3 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2024-45145 CVSS:5.5
Lightroom Desktop versions 7.4.1, 13.5, 12.5.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2024-45144 CVSS:7.8
Substance3D - Stager versions 3.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2024-45143 CVSS:7.8
Substance3D - Stager versions 3.0.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Impact
- Gain Access
- Code Execution
- Security Bypass
- Cross-Site Scripting
- Information Disclosure
Indicators of Compromise
CVE
- CVE-2024-47415
- CVE-2024-47414
- CVE-2024-47413
- CVE-2024-47412
- CVE-2024-47411
- CVE-2024-47410
- CVE-2024-45153
- CVE-2024-45152
- CVE-2024-45150
- CVE-2024-45149
- CVE-2024-45148
- CVE-2024-45146
- CVE-2024-45145
- CVE-2024-45144
- CVE-2024-45143
Affected Vendors
Affected Products
- Adobe Experience Manager 6.5.20
- Adobe Animate 23.0.7
- Adobe Animate 24.0.4
- Adobe Substance3D - Stager 3.0.3
- Adobe Dimension 4.0.3
- Adobe Commerce 2.4.7-p2
- Adobe Commerce 2.4.6-p7
- Adobe Commerce 2.4.5-p9
- Adobe Commerce 2.4.4-p10
- Adobe Lightroom Desktop 7.4.1
- Adobe Lightroom Desktop 13.5
- Adobe Lightroom Desktop 12.5.1
Remediation
Refer to Adobe Security Document for patch, upgrade, or suggested workaround information.