Rewterz Threat Advisory – Multiple Adobe Vulnerabilities

October 14, 2021

Severity

Medium

Analysis Summary

CVE-2021-40721

Adobe Connect is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to execute arbitrary code on the system.

CVE-2021-40719

Adobe Connect could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.

CVE-2021-40724

Adobe Acrobat Reader for Android could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing directory traversal sequences (/../) to execute arbitrary code on the system.

CVE-2021-40720

Adobe ops-cli could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.

CVE-2021-39864

Adobe Commerce and Magento Open Source are vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to bypass the security feature. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

CVE-2021-40744

Adobe Campaign Standard is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to execute arbitrary code on the system.

Impact

Cross-Site Scripting
Code Execution

Affected Vendors

Adobe

Affected Products

Adobe Connect 11.2.2
Adobe Acrobat Reader for Android 21.8.0
Adobe ops-cli 2.0.4
Adobe Commerce 2.4.2-p2
Adobe Commerce 2.4.3
Adobe Commerce 2.3.7-p1
Adobe Magento Open Source 2.4.2-p2
Adobe Magento Open Source 2.4.3
Adobe Magento Open Source 2.3.7-p1
Adobe Campaign Standard 21.2.1

Remediation

Refer to Adobe Advisory for patch, upgrade, or suggested workaround information.

CVE-2021-40721

https://helpx.adobe.com/security/products/connect/apsb21-91.html

CVE-2021-40719

https://helpx.adobe.com/security/products/connect/apsb21-91.html

CVE-2021-40724

https://helpx.adobe.com/security/products/reader-mobile/apsb21-89.html

CVE-2021-40720

https://helpx.adobe.com/security/products/ops_cli/apsb21-88.html

CVE-2021-39864

https://helpx.adobe.com/security/products/magento/apsb21-86.html

CVE-2021-40744

https://helpx.adobe.com/security/products/campaign/apsb21-52.html