Headline
CVE-2023-22275: Security hotfix available for RoboHelp Server
Adobe RoboHelp Server versions 11.4 and earlier are affected by an Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability that could lead to information disclosure by an unauthenticated attacker. Exploitation of this issue does not require user interaction.
Security hotfix available for RoboHelp Server | APSB23-53
Bulletin ID
Date Published
Priority
ASPB23-53
November 14, 2023
3
Summary
Adobe has released a security update for RoboHelp Server. This update resolves vulnerabilities rated critical and important. Successful exploitation could lead to arbitrary code execution and memory leak in the context of the current user.
Affected Versions
RHS 11.4 and earlier versions
Solution
Adobe categorizes these updates with the following priority rating and recommends users update their installation to the newest version:
Product
Version
Platform
Priority rating
Availability
RoboHelp Server
RHS 11 Update 5 (11.5)
Windows
3
Release notes
Vulnerability Details
Vulnerability Category
Vulnerability Impact
Severity
CVSS base score
CVSS vector
CVE Numbers
Information Exposure (CWE-200)
Memory leak
Critical
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2023-22272
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) (CWE-22)
Arbitrary code execution
Critical
7.2
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2023-22273
Improper Restriction of XML External Entity Reference (‘XXE’) (CWE-611)
Memory leak
Critical
8.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
CVE-2023-22274
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89)
Memory leak
Critical
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2023-22275
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89)
Memory leak
Important
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2023-22268
Acknowledgments
Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:
- Anonymous working with Trend Micro Zero Day Initiative - CVE-2023-22272, CVE-2023-22273, CVE-2023-22274, CVE-2023-22275, CVE-2023-22268
NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.
For more information, visit https://helpx.adobe.com/security.html, or email [email protected].