Adobe’s latest Patch Tuesday updates fix 123 vulnerabilities across 11 products.
Of the total, 57 vulnerabilities were patched in Adobe Experience Manager. The vast majority are XSS flaws that allow arbitrary code execution, and three issues have been described as improper input validation that can lead to a security feature bypass.
Two critical issues with a CVSS score of 10, both allowing arbitrary code execution, have been patched in Adobe Campaign Classic.
In ColdFusion, Adobe resolved seven vulnerabilities, including critical and high-severity issues that could allow arbitrary code execution, privilege escalation, and bypass of security features.
Twenty security holes have been fixed in Acrobat and Reader for Windows and macOS, including code execution, DoS, and memory exposure bugs.
Critical and high-severity code execution vulnerabilities have been patched by Adobe in Dreamweaver, Format Plugins, Experience Manager Forms, InDesign, InCopy, and Substance 3D Sampler.
Adobe also addressed several DoS flaws in the Content Credentials SDK.
The software giant says it’s not aware of in-the-wild exploitation targeting these vulnerabilities, and it has assigned a priority rating of 3 to most flaws, indicating it does not expect them to be leveraged in malicious attacks.
Only the ColdFusion and Campaign Classic vulnerabilities have been assigned a priority rating of 1, indicating they could end up being exploited in attacks.
ColdFusion is known to have been targeted by threat actors, including in recent campaigns.
Related: Adobe Patches 52 Vulnerabilities in 10 Products
Related: Adobe Patches 55 Vulnerabilities Across 11 Products
Related: Organizations Warned of Exploited Windows, Adobe Acrobat Vulnerabilities
