Severity
High
Analysis Summary
CVE-2024-34109 CVSS:9.1
Adobe Commerce and Magento Open Source could allow a remote attacker to execute arbitrary code on the system, caused by improper validation of input. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.
CVE-2024-34110 CVSS:9.1
Adobe Commerce and Magento Open Source could allow a remote authenticated attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious file, which could allow the attacker to execute arbitrary commands on the vulnerable system.
CVE-2024-34103 CVSS:8.1
Adobe Commerce and Magento Open Source could allow a remote attacker to gain elevated privileges on the system, caused by improper authentication. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to gain elevated privileges on the system.
CVE-2024-34116 CVSS:7.3
Adobe Creative Cloud Desktop Application could allow a local authenticated attacker to execute arbitrary code on the system, caused by an uncontrolled search path element. By executing a specially crafted application, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-34112 CVSS:7.5
Adobe ColdFusion could allow a remote attacker to obtain sensitive information, caused by improper access control. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to perform an arbitrary file system read.
CVE-2024-34108 CVSS:9.1
Adobe Commerce and Magento Open Source could allow a remote attacker to execute arbitrary code on the system, caused by improper validation of input. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.
CVE-2024-34113 CVSS:6.2
Adobe ColdFusion could allow a local attacker to bypass security restrictions, caused by weak cryptography for passwords. An attacker could exploit this vulnerability to bypass security restrictions.
CVE-2024-30299 CVSS:10
Adobe FrameMaker Publishing Server could allow a remote attacker to gain elevated privileges on the system, caused by improper authentication. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to gain elevated privileges on the system.
CVE-2024-34129 CVSS:6.3
Adobe Acrobat Android could allow a remote attacker to bypass security restrictions, caused by a path traversal flaw. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to bypass the security feature.
CVE-2024-34104 CVSS:8.1
Adobe Commerce and Magento Open Source could allow a remote attacker to bypass security restrictions, caused by improper authorization. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to bypass the security feature.
CVE-2024-34105 CVSS:4.8
Adobe Commerce and Magento Open Source are vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute a script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVE-2024-30300 CVSS:9.8
Adobe FrameMaker Publishing Server could allow a remote attacker to gain elevated privileges on the system, caused by information exposure. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to gain elevated privileges on the system.
CVE-2024-30276 CVSS:5.5
Adobe Audition could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read error. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVE-2024-34130 CVSS:5.5
Adobe Acrobat Android could allow a remote attacker to bypass security restrictions, caused by improper authorization. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to bypass the security feature.
CVE-2024-30285 CVSS:5.5
Adobe Audition is vulnerable to a denial of service, caused by a NULL pointer dereference. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-34111 CVSS:8.5
Adobe Commerce and Magento Open Source are vulnerable to a server-side request forgery. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack and execute arbitrary code on the system.
CVE-2024-20753 CVSS:7.8
Adobe Photoshop could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds read error. By persuading a victim to open a specially crafted document, an attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.
CVE-2024-30278 CVSS:5.5
Adobe Media Encoder could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVE-2024-34102 CVSS:9.8
Adobe Commerce and Magento Open Source could allow a remote attacker to execute arbitrary code on the system, caused by improper restriction of XML external entity (XXE) reference. By using a specially crafted XML content, a remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
CVE-2024-34107 CVSS:5.3
Adobe Commerce and Magento Open Source could allow a remote attacker to bypass security restrictions, caused by improper access control. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to bypass the security feature.
CVE-2024-34106 CVSS:5.3
Adobe Commerce and Magento Open Source could allow a remote attacker to bypass security restrictions, caused by improper authentication. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to bypass the security feature.
Impact
- Denial of Service
- Gain Access
- Security Bypass
- Code Execution
- Privilege Escalation
- Cross-Site Scripting
- Information Disclosure
Indicators of Compromise
CVE
- CVE-2024-34109
- CVE-2024-34110
- CVE-2024-34103
- CVE-2024-34116
- CVE-2024-34112
- CVE-2024-34108
- CVE-2024-34113
- CVE-2024-30299
- CVE-2024-34129
- CVE-2024-34104
- CVE-2024-34105
- CVE-2024-30300
- CVE-2024-30276
- CVE-2024-34130
- CVE-2024-30285
- CVE-2024-34111
- CVE-2024-20753
- CVE-2024-30278
- CVE-2024-34102
- CVE-2024-34107
- CVE-2024-34106
Affected Vendors
Affected Products
- Adobe Commerce 2.3.7-p4-ext-5
- Adobe Commerce 2.4.0-ext-5
- Adobe Commerce 2.4.1-ext-5
- Adobe Commerce 2.4.2-ext-5
- Adobe Commerce 2.4.3-ext-5
- Adobe Commerce 2.4.4-p6
- Adobe Commerce 2.4.5-p5
- Adobe Commerce 2.4.6-p3
- Adobe Magento Open Source 2.4.4-p6
- Adobe Magento Open Source 2.4.5-p5
- Adobe Magento Open Source 2.4.6-p3
- Adobe Commerce 2.4.7
- Adobe Magento Open Source 2.4.7
- Adobe Creative Cloud Desktop Application 6.1.0.587
- Adobe ColdFusion 2023 Update 7
- Adobe ColdFusion 2021 Update 13
- Adobe FrameMaker Publishing Server 2022.2
- Adobe FrameMaker Publishing Server 2020 3
- Adobe Acrobat Android 24.4.2.33155
- Adobe Audition 24.2
- Adobe Audition 23.6.4
- Adobe Photoshop 2023 24.7.3
- Adobe Photoshop 2024 25.7
- Adobe Media Encoder 24.3
- Adobe Media Encoder 23.6.5
Remediation
Refer to Adobe Security Advisory for patch, upgrade, or suggested workaround information.