CVE-2022-42341 ColdFusion versions 14 and earlier are affected by an XXE vulnerability that could lead to arbitrary file system read.
If a user visited a malicious website, opened a malicious advertiser tag, or browsed to a malicious URL within an ad unit, an attacker could exploit this issue and potentially execute arbitrary code with the user's elevated privileges. Adobe is aware of limited, targeted attacks attempting to exploit this issue which have been reported in the media. Adobe is monitoring these reports closely and investigating the issue. Adobe recommends applying the indicated update to address this issue. Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction. If a user visited a malicious website, opened a malicious advertiser tag, or browsed to a malicious URL within an ad unit, an attacker could exploit this issue and potentially execute arbitrary code with the user's elevated privileges. Adobe is aware of limited, targeted attacks attempting to exploit this issue which have been reported in the media. Adobe is monitoring these reports closely and investigating the issue. Adobe recommends applying the indicated update to address this issue. Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction
Digital Ad Fraud
Advertising fraud is a pervasive, costly problem with no easy solutions. The scale of the problem is daunting, and the risks to advertisers are rising as more internet users adopt ad blocking software. The impact on the advertising industry and consumers alike is substantial.
Products Affected
Adobe Acrobat Reader DC
Adobe Acrobat DC
Update 14 (and earlier) and Update 4 (and earlier) require the most recent patch for Adobe Acrobat Reader DC, Adobe Acrobat DC, or both.
Summary
Adobe is aware of limited, targeted attacks attempting to exploit this issue which have been reported in the media. Adobe is monitoring these reports closely and investigating the issue. Adobe recommends applying the indicated update to address this issue. Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction.
The XXE error occurs when a web application allows an XML external entity reference that contains characters outside of the allowed character set or when an XML external entity reference contains both a decryption key and an encryption key without being properly validated.
Products Affected by CVE-2022-42341
Adobe is aware of limited, targeted attacks attempting to exploit this issue which have been reported in the media. Adobe is monitoring these reports carefully and investigating the issue. Update 14 (and earlier) and Update 4 (and earlier) are affected by a vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction.
Products Affected by CVE-2022 -42341
Adobe Acrobat and Reader
Timeline
Published on: 10/14/2022 20:15:00 UTC
Last modified on: 10/14/2022 20:31:00 UTC