Adobe Patches Critical Flaws in InDesign and ColdFusion

Adobe raised the attention of users to critical security flaws present in its InDesign and ColdFusion software products and the need for quick updating of the software.

As part of its scheduled July Patch Tuesday rollout, Adobe released a series of fixes to address twelve documented vulnerabilities in Adobe InDesign. Notably, one of the identified bugs posed a significant threat by potentially allowing arbitrary code execution attacks. The update for Adobe InDesign, available for both Windows and macOS platforms, primarily focused on resolving a critical-severity code execution flaw. Additionally, the update tackled eleven memory safety bugs that were responsible for causing memory leak issues.

In a separate security bulletin, Adobe also issued patches to address three security defects affecting different versions of Adobe ColdFusion, namely versions 2023, 2021, and 2018. The company stressed the criticality of these updates, as they resolved vulnerabilities that could potentially lead to arbitrary code execution and security feature bypass. Of particular concern is CVE-2023-29300 (CVSS severity 9.8), a deserialization vulnerability associated with untrusted data.

Update - Adobe has issued a warning that the CVE-2023-29300 is exploited in the wild. The specific details of the exploitation are not fully known, but a recently-removed technical blog post by Project Discovery included a proof-of-concept exploit for CVE-2023-29300. T

Adobe advises administrators to secure their ColdFusion installations by putting them in locked-down mode to improve defense against attacks. However, it's worth noting that CVE-2023-29300 can be combined with another vulnerability, CVE-2023-29298, to bypass lockdown mode in ColdFusion.

It is worth noting that earlier this year, Adobe disclosed the occurrence of "limited attacks" exploiting a zero-day vulnerability specifically targeting ColdFusion.