Adobe issues high-risk vulnerability warnings to Windows and macOS users

Adobe has discovered high-risk vulnerabilities in its Adobe Prelude, Adobe Experience Manager and Adobe Lightroom applications. If these are exploited, these vulnerabilities may lead to the consequences of arbitrary code execution.

In general, Adobe has released a high-risk vulnerability and three critical high-risk CVE-related patches in its pre-scheduled security update for December. After the patch was released in November, the company repaired four high-risk vulnerabilities related to CVE in the Windows and versions of the Acrobat and Reader series of application software services; all of these vulnerabilities may be exploited, and in products affected by the vulnerability Execute arbitrary code on it.

According to Adobe’s security updates on Tuesday, “Adobe was not aware of the issues that these updates would solve.”

The patch released by Adobe this month includes an important cross-site scripting (XSS) vulnerability in Adobe Experience Manager (AEM). The company mainly provides services such as content management solutions for building websites, mobile applications, and forms. If the vulnerability is exploited, the vulnerability (CVE-2020-24445) may allow a malicious to execute arbitrary JavaScript code on the victim’s browser.

AEM CS, AEM 6.5.6.0 and earlier versions, AEM 6.4.8.2 and earlier versions, and AEM 6.3.3.8 and earlier versions are affected by this vulnerability; AEM users can update to the following specific AEM versions. The priority of this update is 2″. According to Adobe, this update solves the vulnerabilities of products that are “highly risky in history”, but no known vulnerabilities have been found yet.

image

There is also a high-risk vulnerability (CVE-2020-24444) belonging to the blind ssrf vulnerability in AEM. When the Blind SSRF vulnerability is exploited, the application will be controlled to send a back-end HTTP request to a specific URL, but the response of the back-end request is not displayed in the front-end response of the application. Adobe said that this issue may lead to the disclosure of sensitive data.

Adobe has also solved a high-risk vulnerability in Lightroom Classic for Windows and macOS. Lightroom Classic is a desktop application of Adobe that enables photo editing. If this vulnerability is exploited, it may cause users to execute arbitrary code in the current environment.

The vulnerability comes from an uncontrolled search path in Windows 10.0 and earlier versions of Lightroom Classic. Uncontrolled search paths are prone to problems. When an application uses a fixed search path to find resources, this problem occurs-one or more locations of the path are controlled by malicious users. In the case of exploiting this vulnerability (CVE-2020-24447) in Lightroom Classic, this issue may cause arbitrary code execution.

Adobe urges Lightroom Classic users on Windows and platforms to update to version 10.1. Adobe claims that the update is a “priority 3” update, which means it exists in products that “will not be noticed by attackers.”

“Adobe recommends that administrators install updates as needed,” according to reports.

The last high-risk vulnerability was patched in Adobe Prelude. Adobe Prelude is Adobe’s logging tool, which is mainly used to mark media with metadata, and is used to search and manage post-production workflow and film material life cycle. This vulnerability is another uncontrolled search path (CVE-2020-24440) vulnerability, affecting Adobe Prelude 9.0.1 and earlier Windows versions. If exploited, the vulnerability may cause arbitrary code execution.

We urge users to update to Adobe Prelude 9.0.2 for Windows and in the “priority 3” update level specified by Adobe.

Adobe has fixed various security vulnerabilities in the past few months. In October, after warning users on Windows, macOS, Linux, and ChromeOS operating systems that its Flash Player application has high-risk vulnerabilities, Adobe released 18 out-of-the-box security patches in 10 different software packages. Including the repair of high-risk vulnerabilities covering all product suites. Adobe Illustrator was the most affected.