Request a Demo
Rewterz
FBI Detects HiatusRAT Malware Attacks Targeting DVRs and Webcams
December 17, 2024
Rewterz
Blind Eagle APT aka APT-C-36 – Active IOCs
December 17, 2024

Multiple Adobe Products Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2024-43750 CVSS:5.4

Adobe Experience Manager versions 6.5.21 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

CVE-2024-43751 CVSS:5.4

Adobe Experience Manager versions 6.5.21 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

CVE-2024-43752 CVSS:5.4

Adobe Experience Manager versions 6.5.21 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

CVE-2024-43754 CVSS:5.4

Adobe Experience Manager versions 6.5.21 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could allow an attacker to execute arbitrary code in the context of the victim's browser. This issue occurs when data from a malicious source is processed by a web application's client-side scripts to update the DOM. Exploitation of this issue requires user interaction, such as convincing a victim to click on a malicious link.

CVE-2024-43755 CVSS:3.5

Adobe Experience Manager versions 6.5.21 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2024-45155 CVSS:7.8

Animate versions 23.0.8, 24.0.5 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2024-45156 CVSS:7.8

Animate versions 23.0.8, 24.0.5 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2024-49530 CVSS:7

Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2024-49531 CVSS:4.7

Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2024-49532 CVSS:5.5

Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2024-49533 CVSS:5.5

Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2024-49534 CVSS:5.5

Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2024-49535 CVSS:6.3

Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. This vulnerability allows an attacker to provide malicious XML input containing a reference to an external entity, leading to data disclosure or potentially code execution. Exploitation of this issue requires user interaction in that a victim must process a malicious XML document.

CVE-2024-49537 CVSS:7.8

After Effects versions 24.6.2, 25.0.1 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2024-49538 CVSS:7.8

Illustrator versions 29.0.0, 28.7.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2024-49541 CVSS:5.5

Illustrator versions 29.0.0, 28.7.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2024-49543 CVSS:7.8

InDesign Desktop versions ID19.5, ID18.5.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2024-49544 CVSS:7.8

InDesign Desktop versions ID19.5, ID18.5.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2024-49545 CVSS:7.8

InDesign Desktop versions ID19.5, ID18.5.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2024-49546 CVSS:5.5

InDesign Desktop versions ID19.5, ID18.5.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2024-49547 CVSS:5.5

InDesign Desktop versions ID19.5, ID18.5.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2024-49548 CVSS:5.5

InDesign Desktop versions ID19.5, ID18.5.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2024-49549 CVSS:5.5

InDesign Desktop versions ID19.5, ID18.5.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2024-49550 CVSS:6.1

Adobe Connect versions 12.6, 11.4.7 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

CVE-2024-49551 CVSS:7.8

Media Encoder versions 25.0, 24.6.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Impact

  • Denial of Service
  • Gain Access
  • Code Execution
  • Buffer Overflow
  • Security Bypass
  • Cross-Site Scripting
  • Information Disclosure

Indicators of Compromise

CVE

  • CVE-2024-43750
  • CVE-2024-43751
  • CVE-2024-43752
  • CVE-2024-43754
  • CVE-2024-43755
  • CVE-2024-45155
  • CVE-2024-45156
  • CVE-2024-49530
  • CVE-2024-49531
  • CVE-2024-49532
  • CVE-2024-49533
  • CVE-2024-49534
  • CVE-2024-49535
  • CVE-2024-49537
  • CVE-2024-49538
  • CVE-2024-49541
  • CVE-2024-49543
  • CVE-2024-49544
  • CVE-2024-49545
  • CVE-2024-49546
  • CVE-2024-49547
  • CVE-2024-49548
  • CVE-2024-49549
  • CVE-2024-49550
  • CVE-2024-49551

Affected Vendors

Adobe

Affected Products

  • Adobe After Effects 24.6.2
  • Adobe Experience Manager 6.5.21
  • Adobe Animate 23.0.8
  • Adobe Animate 24.0.5
  • Adobe Acrobat Reader 24.005.20307
  • Adobe Acrobat Reader 24.001.30213
  • Adobe Acrobat Reader 24.001.30193
  • Adobe Acrobat Reader 20.005.30730
  • Adobe Acrobat Reader 20.005.30710
  • Adobe After Effects 25.0.1
  • Adobe Illustrator 29.0.0
  • Adobe Illustrator 28.7.2
  • Adobe InDesign Desktop ID19.5
  • Adobe InDesign Desktop ID18.5.4
  • Adobe Connect 12.6
  • Adobe Connect 11.4.7
  • Adobe Media Encoder 25.0
  • Adobe Media Encoder 24.6.3

Remediation

Refer to Adobe Security Advisory for patch, upgrade, or suggested workaround information.

CVE-2024-43750

CVE-2024-43751

CVE-2024-43752

CVE-2024-43754

CVE-2024-43755

CVE-2024-45155

CVE-2024-45156

CVE-2024-49530

CVE-2024-49531

CVE-2024-49532

CVE-2024-49533

CVE-2024-49534

CVE-2024-49535

CVE-2024-49537

CVE-2024-49538

CVE-2024-49541

CVE-2024-49543

CVE-2024-49544

CVE-2024-49545

CVE-2024-49546

CVE-2024-49547

CVE-2024-49548

CVE-2024-49549

CVE-2024-49550

CVE-2024-49551