Adobe's last scheduled security update of the year has resolved critical vulnerabilities in Lightroom, Prelude, and Experience Manager.
Released on Tuesday, the tech giant's patches deal with four vulnerabilities, three of which are deemed critical.
The first fix was issued for Adobe Lightroom, image editing software that is popular with professional photographers. Impacting Lightroom Classic version 10.0 and below on Windows and macOS machines, the critical issue -- tracked as CVE-2020-24447 -- is described as an uncontrolled search path element vulnerability leading to arbitrary code execution.
A second critical bug was found in Adobe Prelude for Windows and macOS, version 9.01 and earlier. Tracked as CVE-2020-24440, the severe vulnerability has been caused by an uncontrolled search path and if exploited by attackers, can lead to "arbitrary code execution in the context of the current user," according to Adobe.
Adobe's third security advisory relates to Adobe Experience Manager (AEM) and the AEM Forms add-on package on all platforms.
Two vulnerabilities have been patched in these software packages. The first, CVE-2020-24445, is a critical bug in AEM CS, and is also found in AEM 220.127.116.11/18.104.22.168/22.214.171.124 and earlier.
The second security flaw, CVE-2020-24444, is an "important" vulnerability found in AEM Forms SP6 add-on for AEM 126.96.36.199 and the AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (188.8.131.52). This vulnerability is a blind server-side request forgery issue that can be triggered for the purpose of information disclosure.
Adobe thanked Qihoo 360 CERT researcher Hou JingYi, as well as Frank Karlstrøm and Kenny Jansson of Storebrand Group, Norway, for reporting the security issues to the vendor.
In Microsoft's last patch update of the year, released on Tuesday, the Redmond giant resolved 58 vulnerabilities, 22 of which are remote code execution (RCE) vulnerabilities.
Previous and related coverage
- Adobe patches Magento bugs that lead to code execution, customer list tampering
- Adobe out-of-band patch released to tackle Media Encoder vulnerabilities
- Microsoft December 2020 Patch Tuesday fixes 58 vulnerabilities
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0