Adobe addressed critical security issues in ColdFusion and InDesign. Users should install security updates immediately to ensure system safety.
Stay informed and prioritize security maintenance to address potential threats.
Attackers can exploit the vulnerabilities to execute arbitrary code, cause memory leaks, and bypass features.
Adobe ColdFusion | APSB23-40
ColdFusion, developed by Adobe, is a platform for creating and deploying web and mobile applications.
Adobe released updates for ColdFusion versions 2023, 2021, and 2018 to resolve the Improper Access Control and Deserialization of Untrusted Data.
There are flaws in the ColdFusion that can allow an attacker to execute arbitrary code and bypass security features.
| Vulnerability Category | Vulnerability Impact | Severity | CVE Numbers |
| Improper Access Control (CWE-284) | Security feature bypass
| Critical | CVE-2023-29298 |
| Deserialization of Untrusted Data (CWE-502) | Arbitrary code execution | Critical | CVE-2023-29300 |
| Improper Restriction of Excessive Authentication Attempts (CWE-307) | Security feature bypass | Important | CVE-2023-29301 |
Affected versions
| Product | Update number |
| ColdFusion 2018 | Update 16 and earlier versions |
| ColdFusion 2021 | Update 6 and earlier versions |
| ColdFusion 2023 | GA Release (2023.0.0.330468) |
Fixed Version
| Product | Updated Version |
|---|
| ColdFusion 2018 | Update 17 |
| ColdFusion 2021 | Update 7 |
| ColdFusion 2023 | Update 1 |
Adobe InDesign | APSB23-38
InDesign by Adobe is a tool for producing digital media like flyers, posters, stationery, slideshows, and other materials.
Update Adobe InDesign to protect against security vulnerabilities that can be exploited by attackers to execute arbitrary code and cause memory leaks.
| Vulnerability Category | Vulnerability Impact | Severity | CVE Number |
|---|
| Out-of-bounds Write (CWE-787) | Arbitrary code execution | Critical | CVE-2023-29308 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | CVE-2023-29309 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | CVE-2023-29310 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | CVE-2023-29311 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | CVE-2023-29312 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | CVE-2023-29313 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | CVE-2023-29314 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | CVE-2023-29315 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | CVE-2023-29316 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | CVE-2023-29317 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | CVE-2023-29318 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | CVE-2023-29319 |
Affected Versions
| Product | Affected version | Platform |
| Adobe InDesign | ID18.3 and earlier version. | Windows and macOS |
| Adobe InDesign | ID17.4.1 and earlier version. | Windows and macOS |
Patched Versions
| Product | Updated version | Platform | Priority rating |
| Adobe InDesign | ID18.4 | Windows and macOS | 3 |
| Adobe InDesign | ID17.4.2 | Windows and macOS | 3 |
Adobe released further details about the flaw and credited security researchers for reporting the vulnerabilities.
Source: https://cybersecuritynews.com/critical-adobe-security-flaws/
