CVE-2022-38448 Adobe Dimension versions 3.4.5 is vulnerable to a Use After Free vulnerability that could result in arbitrary code execution in the user's context.

An attacker could leverage social engineering or email spoofing to interact with a user and convince them to open the malicious file.

CVE Solution: Update to version 3.4.5 of Adobe Dimension.

Adobe ColdFusion versions 10.3.3, 10.3.0 and CF10.0 are affected by an XSS flaw that could be exploited by hackers to execute arbitrary code on the system of users.

CVE Solution: Update to version 10.3.3 of Adobe ColdFusion.

Adobe Creative Cloud versions are multiple products are vulnerable to one or more XSS issues including the following:
INTRODUCTION: Adobe Creative Cloud (ACC) services allow users to access a wide range of creative tools and content from a single, secure login. These include services such as InDesign, Photoshop, Illustrator, and others. As such, Creative Cloud users are often in situations where they are required to share information via a public medium, such as a blog, or via email. As such, Creative Cloud users are often in situations where they are required to share information via a public medium, such as a blog, or via email. XSS is one of the most common forms of cross-site scripting, where data is unintentionally sent across a site via a mechanism other than the intended one, often due to insufficient input validation.

Products Affected by Adobe Creative Cloud XSS Flaw

Adobe Creative Cloud versions are multiple products are vulnerable to one or more XSS issues including the following:
InDesign CC 2015.1.0 and earlier
Illustrator CC 2015.1.0 and earlier
Photoshop CC 2015.1.0 and earlier

Overview of the XSS Flaw

The XSS flaw exists in the form of a stored cross-site scripting vulnerability that impacts both Adobe Creative Cloud applications and the Adobe Content Server. This vulnerability is disclosed in Adobe's security bulletin CVE-2022-38448. The impact of this vulnerability varies depending on which application or server is affected.

If exploited, an attacker could leverage social engineering or email spoofing to interact with a user and convince them to open the malicious file.

Overview of the issue

The issue is that Creative Cloud services, such as Illustrator, InDesign and Photoshop, do not perform input validation when users export or save files. This means that malicious code could be sent across the system, bypassing security measures and compromising the integrity of users' information. Additionally, this flaw could also allow an attacker to engage in social engineering to access sensitive data on the system.

Overview of the Issue

In Adobe Creative Cloud versions, users can inadvertently send sensitive data across public channels. This is often due to insufficient input validation. As such, an attacker can leverage social engineering or email spoofing to interact with a user and convince them to open the malicious file.

Adobe Creative Cloud and InDesign XSS Vulnerabilities

Affected versions: All versions of Creative Cloud until 20.2.1, and InDesign 11.0.6

In one scenario, a maliciously crafted document can be opened by an attacker, which will execute arbitrary code on the system of the user who opens it.
In another scenario, an attacker can modify the content of the document to cause a redirect to a web site that they control. This web site could then deliver a payload to any browser within the system that loads it.

Timeline

Published on: 10/14/2022 20:15:00 UTC
Last modified on: 10/14/2022 20:31:00 UTC

References