Multiple Adobe Enterprise products such as Adobe Experience, Premier Pro, ColdFusion, Bridge, Lightroom, and Animate have been discovered with critical code execution vulnerabilities that were associated with Untrusted search path, Cross-site scripting, Out-of-bounds write, Use After free, Heap-based buffer overflow and many others.
Adobe has released multiple security advisories to address these vulnerabilities.
Among all of these products, Adobe Experience Manager had the highest number of vulnerabilities, accounting for 43 code execution vulnerabilities associated with Improper access control and cross-site scripting.
According to the reports shared with Cyber Security News, successfully exploiting these vulnerabilities in any Adobe product will lead to arbitrary code execution, allowing a threat actor to perform any malicious activity on the compromised product.
This product had four vulnerabilities, three of which were related to memory leaks and one associated with arbitrary code execution (CVE-2024-20761).
This vulnerability exists due to an Out-of-bounds write condition on the Adobe Animate product, which a threat actor could exploit to perform write actions at the end or beginning of the intended buffer.
This vulnerability was given a severity of 7.8 (High).
This product had only one vulnerability, which was related to arbitrary code execution that exists due to an Untrusted search path.
This vulnerability was assigned with CVE-2024-20754, and its severity has yet to be categorized.
A threat actor could exploit this vulnerability and achieve code execution over the affected product.
This product was discovered with four vulnerabilities in three of which were linked with arbitrary code execution vulnerabilities that existed due to Use after free, heap-based buffer overflow and Out-of-bounds write conditions on the vulnerable products.
These vulnerabilities were assigned with CVE-2024-20752 (7.8 – High), CVE-2024-20755 (7.8 – High), and CVE-2024-20756 (8.6 – High).
This product was discovered with only one vulnerability that was related to Arbitrary file system read due to improper access control. However, there were no arbitrary code executions present in this product.
The only vulnerability was assigned with CVE-2024-20767 and the severity was given as 8.2 (High).
This product was discovered with two vulnerabilities both of which were related to arbitrary code execution due to Heap-based buffer overflow and Out-of-bounds write conditions.
These vulnerabilities were assigned with CVE-2024-20745 (7.8 – High) and CVE-2024-20746 (7.8 – High).
As mentioned earlier, this product was the only product with the highest number of vulnerabilities. There were 43 arbitrary code execution vulnerabilities and 3 security bypass vulnerabilities.
All of the code execution vulnerabilities existed due to Cross-site scripting.
Among the three security bypass vulnerabilities, two of them were due to improper input validation and the other was due to improper access control.
| Vulnerability Category | Vulnerability Impact | Severity | CVSS base score | CVSS vector | CVE Number |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26028 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26030 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26031 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26032 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26033 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26034 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26035 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26038 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26040 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26041 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26042 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26043 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26044 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26045 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 4.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L | CVE-2024-26048 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 4.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N | CVE-2024-26050 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26052 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26056 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26059 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26061 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26062 |
| Information Exposure (CWE-200) | Security feature bypass | Important | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | CVE-2024-26063 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26064 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26065 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26067 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26069 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26073 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26080 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26094 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26096 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26102 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26103 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26104 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26105 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26106 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26107 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26118 |
| Improper Access Control (CWE-284) | Security feature bypass | Important | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | CVE-2024-26119 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26120 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26124 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26125 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-20760 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-20768 |
| Improper Input Validation (CWE-20) | Security feature bypass | Moderate | 3.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N | CVE-2024-26126 |
| Improper Input Validation (CWE-20) | Security feature bypass | Moderate | 3.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N | CVE-2024-26127 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Moderate | 3.4 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N | CVE-2024-26051 |
| Affected Product | Version | Platform |
| Adobe Animate 2023 | 23.0.3 and earlier versions | Windows and macOS |
| Adobe Animate 2024 | 24.0 and earlier versions | Windows and macOS |
| Lightroom | 7.1.2 and earlier versions | macOS |
| Adobe Bridge | 13.0.5 and earlier versions | Windows and macOS |
| Adobe Bridge | 14.0.1 and earlier versions | Windows and macOS |
| ColdFusion 2023 | Update 6 and earlier versions | All |
| ColdFusion 2021 | Update 12 and earlier versions | All |
| Adobe Premiere Pro | 24.1 and earlier versions | Windows and macOS |
| Adobe Premiere Pro | 23.6.2 and earlier versions | Windows and macOS |
| Adobe Experience Manager (AEM) | AEM Cloud Service (CS) | All |
| 6.5.19.0 and earlier versions | All |
| Product | Version | Platform | Priority | Availability |
| Adobe Animate 2023 | 23.0.4 | Windows and macOS | 3 | Download Center |
| Adobe Animate 2024 | 24.0.1 | Windows and macOS | 3 | Download Center |
| Lightroom | 7.2 | macOS as published in the Apple App Store. | 3 | Download Center |
| Adobe Bridge | 13.0.6 | Windows and macOS | 3 | Download Page |
| Adobe Bridge | 14.0.2 | Windows and macOS | 3 | Download Page |
| ColdFusion 2023 | Update 7 | All | 3 | Tech Note |
| ColdFusion 2021 | Update 13 | All | 3 | Tech Note |
| Adobe Premiere Pro | 24.2.1 | Windows and macOS | 3 | Download Center |
| Adobe Premiere Pro | 23.6.4 | Windows and macOS | 3 | Download Center |
| Adobe Experience Manager (AEM) | AEM Cloud Service Release 2024.03 | All | 3 | Release Notes |
| 6.5.20.0 | All | 3 | AEM 6.5 Service Pack Release Notes |
With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
A directory traversal vulnerability (CVE-2024-23334) was identified in aiohttp versions before 3.9.2. This vulnerability allows…
Onur Aksoy, a forty-year-old resident of Florida and dual citizen of Turkey and the United…
Students aren’t alone in having their skills tested in K-12 schools. Education-sector IT teams face…
While injection vulnerabilities are on the rise, Webshells have become a serious concern. They allow…
Security researchers have uncovered four zero-day vulnerabilities within OpenVPN, the world's leading VPN solution. These…
Operation PANDORA has successfully dismantled a network of 12 fraudulent call centers, dealing a significant…