Security
Headlines
HeadlinesLatestCVEs

Headline

Update Adobe Acrobat and Reader to Patch Actively Exploited Vulnerability

Adobe’s Patch Tuesday update for September 2023 comes with a patch for a critical actively exploited security flaw in Acrobat and Reader that could permit an attacker to execute malicious code on susceptible systems. The vulnerability, tracked as CVE-2023-26369, is rated 7.8 for severity on the CVSS scoring system and impacts both Windows and macOS versions of Acrobat DC, Acrobat Reader DC,

The Hacker News
#xss#vulnerability#web#mac#windows#pdf#The Hacker News

Adobe’s Patch Tuesday update for September 2023 comes with a patch for a critical actively exploited security flaw in Acrobat and Reader that could permit an attacker to execute malicious code on susceptible systems.

The vulnerability, tracked as CVE-2023-26369, is rated 7.8 for severity on the CVSS scoring system and impacts both Windows and macOS versions of Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020.

Described as an out-of-bounds write, successful exploitation of the bug could lead to code execution by opening a specially crafted PDF document. Adobe did not disclose any additional details about the issue or the targeting involved.

“Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader,” the company acknowledged in an advisory.

UPCOMING WEBINAR

Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats

Supercharge Your Skills

CVE-2023-26369 affects the below versions -

  • Acrobat DC (23.003.20284 and earlier versions) - Fixed in 23.006.20320
  • Acrobat Reader DC (23.003.20284 and earlier versions) - Fixed in 23.006.20320
  • Acrobat 2020 (20.005.30514 for Windows and earlier versions, 20.005.30516 for macOS and earlier versions) - Fixed in 20.005.30524
  • Acrobat Reader 2020 (20.005.30514 for Windows and earlier versions, 20.005.30516 for macOS and earlier versions) - Fixed in 20.005.30524

Also patched by the software maker are two cross-site scripting flaws each in Adobe Connect (CVE-2023-29305 and CVE-2023-29306) and Adobe Experience Manager (CVE-2023-38214 and CVE-2023-38215) that could lead to arbitrary code execution.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

U.S. Cybersecurity Agency Warns of Actively Exploited Adobe Acrobat Reader Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a high-severity flaw in Adobe Acrobat Reader to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2023-21608 (CVSS score: 7.8), the vulnerability has been described as a use-after-free bug that can be exploited to achieve remote code execution (RCE) with the

CVE-2023-38214: Adobe Security Bulletin

Adobe Experience Manager versions 6.5.17 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If a low-privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

CVE-2023-29306: Adobe Security Bulletin

Adobe Connect versions 12.3 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

CVE-2023-26369: Adobe Security Bulletin

Acrobat Reader versions 23.003.20284 (and earlier), 20.005.30516 (and earlier) and 20.005.30514 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Adobe, Apple, Google & Microsoft Patch 0-Day Bugs

Microsoft today issued software updates to fix at least five dozen security holes in Windows and supported software, including patches for two zero-day vulnerabilities that are already being exploited. Also, Adobe, Google Chrome and Apple iOS users may have their own zero-day patching to do.