Adobe has released security updates to address critical severity security bugs affecting Windows and macOS versions of Adobe Lightroom and Adobe Prelude.
In total, the company addressed four security vulnerabilities affecting three products, three of them rated as critical and one as an important severity bug in Adobe Experience Manager (AEM) and the AEM Forms add-on package.
These bugs could enable attackers to execute arbitrary code on vulnerable devices, as well as gain access to sensitive information and execute arbitrary JavaScript code in the browser.
Adobe categorized the critical security updates as priority 3 updates meaning that they affect products that haven’t been known targets for attackers.
However, the one issued to address the important severity vulnerability in Adobe Experience Manager is rated with a priority rating of 2 as it addressed a bug with no public exploits but impacting products that have “historically been at elevated risk.”
The full list of vulnerabilities fixed today is available in the table embedded below, together with severity ratings and assigned CVE numbers.
| Vulnerability Category | Vulnerability Impact | Severity | CVE Number | Affected Product |
|---|---|---|---|---|
| Uncontrolled search path | Arbitrary Code Execution | Critical | CVE-2020-24440 | Adobe Prelude |
| Uncontrolled Search Path Element | Arbitrary Code Execution | Critical | CVE-2020-24447 | Adobe Lightroom Classic |
| Blind server-side request forgery | Sensitive Information Disclosure | Important | CVE-2020-24444 | Adobe Experience Manager |
| Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Critical | CVE-2020-24445 |
Adobe advises customers using vulnerable products to update to the latest versions as soon as possible to block attacks that could lead to successful exploitation of unpatched installations.
Depending on their preferences, users can update their products using one of the following approaches:
- By going to Help > Check for Updates.
- The full update installers can be downloaded from Adobe’s Download Center.
- Let the products update automatically, without requiring user intervention, when updates are detected.
IT admins can also install these security updates in managed environments via enterprise installers available through Adobe’s public FTP server or using Windows/macOS remote management solutions.
Last month, Adobe fixed 14 vulnerabilities in Adobe Acrobat and Reader for Windows and macOS that could allow attackers to remotely execute code on vulnerable devices.
Adobe also patched 18 critical security bugs impacting ten of its Windows and macOS products that could have led to the execution of arbitrary code when exploited in attacks.
The company also addressed a critical Adobe Flash Player remote code execution vulnerability that could be exploited by persuading potential victims to visit a maliciously crafted website.