Rewterz Threat Alert – ZLoader Banking Trojan – Active IOCs
September 16, 2021Rewterz Threat Advisory – ICS : Multiple Siemens Vulnerabilities
September 16, 2021Rewterz Threat Alert – ZLoader Banking Trojan – Active IOCs
September 16, 2021Rewterz Threat Advisory – ICS : Multiple Siemens Vulnerabilities
September 16, 2021Severity
High
Analysis Summary
CVE-2021-40714 ; CVE-2021-40711
Adobe Experience Manager (AEM) is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2021-40713
Adobe Experience Manager (AEM) could allow a remote attacker to bypass security restrictions, caused by the improper certificate validation. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to bypass the security feature.
CVE-2021-40712
Adobe Experience Manager (AEM) is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2021-40708
Adobe Genuine Service could allow a remote authenticated attacker to gain elevated privileges on the system, caused by the creation of a temporary file in the directory with incorrect permissions. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to gain elevated privileges on the system.
CVE-2021-39826
Adobe Digital Editions could allow a remote attacker to execute arbitrary code on the system, caused by an OS command injection vulnerability. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2021-39827
Adobe Digital Editions could allow a remote attacker to gain elevated privileges on the system, caused by the creation of temporary file in directory with incorrect permissions. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to gain elevated privileges on the system.
CVE-2021-39828
Adobe Digital Editions could allow a remote authenticated attacker to gain elevated privileges on the system, caused by the creation of temporary file in directory with incorrect permissions. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to gain elevated privileges on the system.
CVE-2021-39825
Adobe Photoshop Elements could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write error. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.
CVE-2021-28613
Adobe Creative Cloud Desktop Application could allow a local authenticated attacker to execute arbitrary code on the system, caused by the creation of a temporary file in directory with incorrect permissions. By executing a specially crafted application, an attacker could exploit this vulnerability to write arbitrary files and execute arbitrary code on the system.
CVE-2021-40699
Adobe ColdFusion could allow a remote authenticated attacker to execute arbitrary code on the system, caused by the use of inherently dangerous function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2021-40716
Adobe XMP-Toolkit-SDK could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to read arbitrary files on the system.
Impact
- Cross-Site Scripting
- Security Bypass
- Denial of Services
- Privilege Escalation
- Code Execution
- Information Disclosure
Affected Vendors
- Adobe
- Adobe Photoshop
- Adobe Creative Cloud
Affected Products
- Adobe Experience Manager Cloud Service (CS)
- Adobe Experience Manager 6.5.8.0
- Adobe Genuine Service 7.3
- Adobe Digital Editions 4.5.11.187646
- Adobe Photoshop Elements 2021 [build 19.0 (20210304.m.156367)
- Adobe Creative Cloud Desktop Application 5.4
- Adobe ColdFusion 2018 Update 11
- Adobe ColdFusion 2021 Version 1
- Adobe XMP-Toolkit-SDK 2021.07
Remediation
Refer to Adobe Experience Manager for patch, upgrade, or suggested workaround information.
https://helpx.adobe.com/security/products/experience-manager/apsb21-82.html
Refer to Adobe Genuine Service for patch, upgrade, or suggested workaround information.
https://helpx.adobe.com/security/products/integrity_service/apsb21-81.html
Refer to Adobe Digital Editions for patch, upgrade, or suggested workaround information.
https://helpx.adobe.com/security/products/Digital-Editions/apsb21-80.html
Refer to Adobe Photoshop Elements for patch, upgrade, or suggested workaround information.
https://helpx.adobe.com/security/products/photoshop_elements/apsb21-77.html
Refer to AdobeCreative Cloud Desktop Application for patch, upgrade, or suggested workaround information.
https://helpx.adobe.com/security/products/creative-cloud/apsb21-76.html
Refer to Adobe ColdFusion for patch, upgrade, or suggested workaround information.
https://helpx.adobe.com/security/products/coldfusion/apsb21-75.html
Refer to Adobe XMP-Toolkit-SDK for patch, upgrade, or suggested workaround information.
https://helpx.adobe.com/security/products/xmpcore/apsb21-85.html