Software maker Adobe on Tuesday issued an urgent warning about “very limited attacks” exploiting a zero-day vulnerability in its Adobe ColdFusion web app development platform.
Adobe’s warning was embedded in a critical-severity level advisory that contains patches for ColdFusion versions 2021 and 2018.
“Adobe is aware that CVE-2023-26360 has been exploited in-the-wild in very limited attacks targeting Adobe ColdFusion,” the company said. No other details on the in-the-wild compromises were provided.
Adobe’s PSIRT said the patches cover software defects that “could lead to arbitrary code execution, arbitrary file system read and memory leak.”
The company described the exploited vulnerability as a critical arbitrary file system read vulnerability with a CVSS base score of 8.6/10. The ColdFusion update also features a second critical bug (CVSS 9.8) that could lead to code execution attacks.
In all, Adobe released patches for a whopping 106 vulnerabilities in a wide range of products, some serious enough to expose both Windows and macOS users to remote code execution attacks.
These include:
- Four documented vulnerabilities in Adobe Commerce (formerly Magento) that could lead to arbitrary code execution, security feature bypass and arbitrary file system read. Adobe rates this a critical bulletin
- At least 18 security flaws in the Adobe Experience Manager software. “Successful exploitation of these vulnerabilities could result in arbitrary code execution, privilege escalation and security feature bypass.”
- Five critical security defects affecting Adobe Illustrator (Windows and macOS) that could lead to memory leak and arbitrary code execution.
- 58 documented CVEs in Adobe Dimension. “Successful exploitation could lead to memory leak and arbitrary code execution in the context of the current user.”
The company also fixed a critical-level vulnerability in the popular Adobe Photoshop (Windows and macOS), a separate code execution flaw in the Adobe Creative Cloud desktop application, and 16 new issues in the Adobe Substance 3D Stager.
Related: Adobe Plugs Critical Security Holes in Illustrator, After Effects Software
Related: Adobe Warns of ‘Critical’ Security Flaws in Enterprise Products
Related: Adobe Patches Gaping Security Holes in Acrobat, Reader, Photoshop