Adobe
Monthly
Stored XSS in Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 allows authenticated attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and data theft. Exploitation requires user interaction when a victim visits a page containing the compromised field. No patch is currently available.
Unauthorized data disclosure in Adobe Commerce and Magento B2B versions 2.4.4 through 2.4.9-alpha3 stems from an authorization bypass flaw that allows unauthenticated attackers to view sensitive information without user interaction. The vulnerability exploits improper access controls to circumvent security protections, exposing confidential data to remote threat actors. Currently no patch is available for affected versions.
Incorrect authorization controls in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allow unauthenticated remote attackers to bypass security features and gain unauthorized read access to sensitive data without user interaction. The vulnerability stems from improper access restrictions and could expose confidential information across affected Magento Commerce and Commerce B2B deployments. No patch is currently available to remediate this issue.
Incorrect authorization controls in Adobe Commerce 2.4.9-alpha3 through 2.4.4-p16 permit low-privileged authenticated users to bypass security features and access restricted functionality without user interaction. The vulnerability stems from improper authorization checks that fail to enforce proper access controls. No patch is currently available for affected versions.
Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 enables high-privileged attackers to inject malicious scripts into form fields, which execute in victim browsers during page visits. An attacker exploiting this vulnerability can achieve session hijacking and compromise both confidentiality and integrity, though successful exploitation requires user interaction and administrative privileges. No patch is currently available.
Denial-of-service attacks against Adobe Commerce and Magento B2B versions 2.4.4 through 2.4.9-alpha3 are possible through improper input validation that fails to sanitize malicious payloads. An unauthenticated remote attacker can trigger application unavailability by sending specially crafted requests without requiring user interaction. No security patch is currently available for this vulnerability.
Adobe Experience Manager 6.5.23 and earlier contain a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts. When victims access pages containing the injected payload, the JavaScript executes in their browser context, potentially leading to session hijacking, credential theft, or other client-side attacks. No patch is currently available for this vulnerability.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged users to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker can leverage this vulnerability to steal session tokens, credentials, or perform actions on behalf of victims within the AEM environment. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker with valid credentials can compromise other users' sessions and steal sensitive data by crafting specially crafted input. Currently no patch is available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker with valid credentials could leverage this vulnerability to steal session tokens, modify page content, or perform actions on behalf of victims who view the compromised forms. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in users' browsers when the page is viewed. An attacker with login credentials can craft payloads in vulnerable fields to steal session data or perform actions on behalf of victims. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in other users' browsers. An attacker can leverage this to steal session tokens, perform unauthorized actions, or redirect victims to malicious sites when they view compromised pages. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts through form fields that execute in other users' browsers. An attacker with valid credentials can craft payloads to steal session tokens, redirect users, or perform actions on their behalf when victims view affected pages. No patch is currently available for this vulnerability.
Adobe Experience Manager 6.5.23 and earlier contain a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts executed in other users' browsers. An attacker can exploit this to steal credentials, perform unauthorized actions, or deface content when victims access affected pages. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. This requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims within the application context. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. The vulnerability requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when users view the compromised pages. The vulnerability requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker can exploit this vulnerability to steal session tokens, perform unauthorized actions, or redirect users to malicious sites through script execution in victims' browsers. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with valid credentials can exploit this vulnerability to steal session tokens, perform actions on behalf of victims, or redirect users to malicious sites. No patch is currently available for this vulnerability.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in other users' browsers. An attacker can exploit this vulnerability to perform actions on behalf of victims or steal sensitive information when they visit pages containing the compromised fields. No patch is currently available for this vulnerability.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in victims' browsers. An attacker can exploit this vulnerability by injecting JavaScript that runs when other users access pages containing the compromised fields, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker could exploit this to steal session tokens, redirect users, or perform actions on behalf of victims viewing affected pages. No patch is currently available.
Adobe Experience Manager 6.5.23 and earlier contains a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts. When victims visit pages containing the injected payload, the attacker's JavaScript executes in their browser, potentially compromising user sessions or stealing sensitive data. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in other users' browsers. An attacker with low privileges can craft malicious input that persists in the application and compromises confidentiality and integrity for victims who access the affected pages. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in victims' browsers when the contaminated pages are viewed. An attacker with valid credentials can exploit this to steal session tokens, credentials, or perform actions on behalf of affected users. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when users view the affected pages. A low-privileged user can exploit this to perform actions in the context of other users' browsers, potentially compromising session integrity and enabling credential theft or data exfiltration. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged attackers to inject malicious scripts into form fields that execute when victims view affected pages. The vulnerability requires user interaction and can result in session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. The vulnerability requires low-level privileges and user interaction to exploit, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available for this medium-severity issue.
Stored XSS in Adobe Experience Manager versions 6.5.23 and earlier enables low-privileged attackers to embed malicious scripts in form fields that execute when legitimate users view the affected pages. An attacker with basic authentication can inject JavaScript that runs in victims' browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available for this vulnerability.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with login credentials can compromise victim browsers and potentially steal sensitive information or perform unauthorized actions within the application context. No patch is currently available for this vulnerability.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields, which execute in the browsers of users viewing those pages. The vulnerability requires user interaction and has limited scope of impact, affecting confidentiality and integrity but not availability. No patch is currently available for this medium-severity issue.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with low privileges and user interaction can compromise the confidentiality and integrity of victim sessions. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. A low-privileged user can exploit this to perform actions in victim browsers or steal sensitive information, though no patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in victims' browsers when the affected pages are viewed. The vulnerability requires user interaction and is limited to low-impact information disclosure and modification, though it can affect multiple users due to its stored nature. No patch is currently available for this issue.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields, which execute in victims' browsers when they access affected pages. The vulnerability requires user interaction and can result in session hijacking, credential theft, or malware distribution. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in victims' browsers, potentially leading to session hijacking or credential theft. The vulnerability requires user interaction and is currently unpatched, with no active exploitation reported.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in users' browsers when the affected pages are accessed. An attacker with login credentials can craft payloads that persist in the application and compromise victim sessions or steal sensitive data. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers when they access affected pages. An attacker can exploit this to steal session tokens, perform unauthorized actions, or deface content with minimal user interaction required. No patch is currently available for this vulnerability.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields, which execute in victims' browsers when the affected pages are accessed. An attacker with login credentials can exploit this vulnerability to steal session tokens, credentials, or perform actions on behalf of users viewing the compromised forms. No patch is currently available for this vulnerability.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with low privileges can exploit this vulnerability to steal session tokens, credentials, or perform actions on behalf of victims through their browsers. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts through form fields, which execute in victims' browsers when they view affected pages. The vulnerability requires user interaction and network access but can impact confidentiality and integrity across security domains. No patch is currently available.
Adobe Experience Manager 6.5.23 and earlier contains a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts affecting other users who view the compromised pages. When a victim browses to a page containing the injected payload, the malicious JavaScript executes in their browser context, potentially enabling session hijacking or credential theft. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields, which execute in victims' browsers when they view affected pages. This requires user interaction and an authenticated attacker, but could compromise the confidentiality and integrity of user sessions. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier enables authenticated attackers to inject malicious scripts into form fields that execute when users view affected pages. An attacker with login credentials can compromise victim browsers and steal sensitive data or perform actions on their behalf. No patch is currently available.
Arbitrary code execution in Adobe Illustrator 29.8.4, 30.1 and earlier through an out-of-bounds write vulnerability affecting local users who open malicious files. An attacker can exploit this to execute code with the privileges of the targeted user, requiring only that the victim interact with a crafted document. No patch is currently available for this high-severity vulnerability.
Heap buffer overflow in Adobe Illustrator 29.8.4 and 30.1 allows arbitrary code execution under the current user's privileges when opening a malicious file. The vulnerability requires user interaction but carries no patch availability, leaving affected systems at risk. An attacker can achieve code execution by crafting and distributing a malicious document that triggers the memory corruption flaw.
Out-of-bounds memory read in Adobe Illustrator 29.8.4 and 30.1 and earlier enables attackers to disclose sensitive information from process memory by tricking users into opening malicious files. This local vulnerability requires user interaction but poses a high confidentiality risk with no available patch. Affected organizations should restrict file opening from untrusted sources until Adobe releases a fix.
Out-of-bounds memory read in Adobe Illustrator 29.8.4, 30.1 and earlier enables local attackers to extract sensitive data from process memory by tricking users into opening crafted files. No patch is currently available for this vulnerability, which requires user interaction but poses a meaningful confidentiality risk to affected users.
Arbitrary code execution in Adobe Illustrator 29.8.4 and 30.1 through a stack-based buffer overflow when processing malicious files. Local exploitation requires user interaction to open a crafted document, executing code with the privileges of the current user. No patch is currently available for affected versions.
Arbitrary code execution in Adobe Illustrator versions 29.8.4 and 30.1 and earlier results from an out-of-bounds write flaw that executes with user privileges. An attacker can achieve code execution by crafting a malicious file that triggers the vulnerability when opened by a victim. No patch is currently available for this high-severity issue.
Arbitrary code execution in Adobe Illustrator versions 29.8.4 and 30.1 and earlier via an untrusted search path vulnerability allows local attackers to execute malicious code with user privileges. The vulnerability requires a victim to open a specially crafted file, making it exploitable through social engineering or malicious file distribution. No patch is currently available.
Arbitrary code execution in Adobe Acrobat and Acrobat Reader versions 24.001.30307 and earlier stems from a use-after-free memory vulnerability triggered when users open specially crafted files. An attacker can achieve code execution with the privileges of the current user, though exploitation requires victim interaction. No patch is currently available for affected versions.
Improper certificate validation in Adobe Acrobat Reader DC versions 24.001.30307 and earlier allows local attackers to forge digital signatures by spoofing signer identity, bypassing security features that users rely on for document verification. This attack requires user interaction and affects multiple Adobe products including Acrobat DC. No patch is currently available.
Arbitrary code execution in Adobe Acrobat Reader and Acrobat (versions 24.001.30307 and earlier) via a use-after-free vulnerability requires victims to open a malicious file. Local attackers can exploit this to execute code with the privileges of the current user. No patch is currently available.
Integer overflow in psd-tools Python library before 1.12.2 when processing malformed RLE-compressed PSD files leads to heap overflow. PoC and patch available.
Heap memory disclosure in ImageMagick's PSD file parser allows unauthenticated remote attackers to leak sensitive information from process memory by crafting malicious Photoshop files with improperly compressed layer data. Affected versions prior to 7.1.2-15 and 6.9.13-40 fail to properly validate decompressed data sizes, exposing uninitialized heap contents in generated output images. No patch is currently available for this vulnerability.
InDesign versions 21.1, 20.5.1 and earlier contain a heap buffer overflow that enables local denial-of-service attacks when users open malicious files. An attacker can crash the application to disrupt workflow, though no patch is currently available. User interaction is required for exploitation.
Arbitrary code execution in Adobe InDesign versions 21.1, 20.5.1, and earlier through a heap buffer overflow vulnerability triggered by opening a malicious file. The vulnerability requires user interaction and executes with the privileges of the current user, with no patch currently available. Local attackers can leverage this to achieve code execution on affected systems.
Out-of-bounds memory read in Adobe InDesign versions 21.1, 20.5.1 and earlier enables disclosure of sensitive information residing in application memory. Exploitation requires a victim to open a specially crafted malicious file, making this a user-interaction dependent attack vector. No patch is currently available for affected users.
Arbitrary code execution in Adobe InDesign versions 21.0, 19.5.5 and earlier via a heap buffer overflow vulnerability when users open malicious files. The flaw requires user interaction but allows attackers to execute code with the privileges of the current user. No patch is currently available for this high-severity issue.
Adobe Illustrator versions 29.8.3 and 30.0 and earlier are vulnerable to a null pointer dereference that enables local denial-of-service attacks when users open crafted files. An attacker can crash the application by supplying a malicious file, disrupting workflow for targeted users. No patch is currently available for this vulnerability.
Arbitrary code execution in Adobe Illustrator 29.8.3 and 30.0 through an untrusted search path vulnerability that allows attackers to redirect application resource lookups to malicious executables. Exploitation requires local access and user interaction to open a crafted file, but executes with full user privileges and can affect the entire system. No patch is currently available.
Memory disclosure in Adobe InDesign versions 21.0, 19.5.5 and earlier through out-of-bounds read allows attackers to access sensitive information from application memory when users open specially crafted malicious files. This vulnerability requires user interaction to exploit but requires no special privileges to trigger. No patch is currently available for affected versions.
Arbitrary code execution in Adobe InDesign versions 21.0, 19.5.5 and earlier through a heap-based buffer overflow vulnerability triggered by opening a malicious file. Attackers can achieve code execution with the privileges of the affected user, requiring only social engineering to deliver the malicious document. No patch is currently available.
Arbitrary code execution in Adobe InDesign versions 21.0, 19.5.5 and earlier through an uninitialized pointer vulnerability that executes with user privileges when a victim opens a crafted file. This local attack requires user interaction but offers no patch availability and affects all current InDesign users.
Arbitrary code execution in Adobe InDesign versions 21.0, 19.5.5 and earlier through an uninitialized pointer vulnerability that executes with user privileges when a victim opens a crafted file. The attack requires no special privileges or system access, making it a significant risk for InDesign users who may inadvertently open malicious documents. No patch is currently available.
Improper verification of cryptographic signatures in Adobe Acrobat Reader versions up to 24.001.30264, 20.005.30803, and 25.001.20982 allows local attackers to bypass cryptographic protections and gain limited unauthorized write access to PDF documents. The vulnerability requires user interaction with a malicious or crafted PDF containing an improperly signed element. With a CVSS score of 3.3 and local attack vector, this represents a low-severity security feature bypass affecting document integrity verification.
Improper verification of cryptographic signatures in Adobe Acrobat Reader and Acrobat DC versions up to 24.001.30273, 25.001.20982, and 20.005.30803 allows local attackers to bypass security features and gain limited unauthorized write access to PDF documents. Exploitation requires user interaction with a malicious or specially crafted cryptographic signature embedded in a PDF file. No active exploitation has been confirmed at the time of analysis.
Arbitrary code execution in Adobe Acrobat Reader DC and Acrobat DC (all editions through versions 25.001.20982, 24.001.30273, and 20.005.30803) occurs when malicious files manipulate the application's DLL search path. Attackers achieve full code execution with current user privileges through local attack requiring social engineering to open a crafted PDF or related file. Adobe confirms the vulnerability in security bulletin APSB25-119 with patches released for all affected product lines. EPSS data not provided, but the local vector with required user interaction (AV:L/UI:R) and lack of CISA KEV listing suggest lower probability of widespread automated exploitation compared to remote vulnerabilities, though targeted attacks via phishing remain viable.
Adobe Pass versions 3.7.3 and earlier are affected by an Incorrect Authorization vulnerability. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Magento-lts is a long-term support alternative to Magento Community Edition (CE). Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Open redirect vulnerability in Adobe Connect 12.9 and earlier allows remote attackers to redirect users to arbitrary websites by crafting malicious links, requiring victim interaction to click the link. The vulnerability has low confidentiality impact with CVSS 4.3 and no confirmed active exploitation or public exploit code at time of analysis.
DOM-based Cross-Site Scripting in Adobe Connect 12.9 and earlier enables session hijacking when high-privileged administrators interact with attacker-crafted pages. Scope change to 'C' indicates the attacker can pivot beyond the vulnerable component's security boundary, allowing privileged session takeover that impacts both confidentiality and integrity at high levels. No active exploitation confirmed per CISA KEV at time of analysis. Adobe has released security advisory APSB25-70 addressing this vulnerability.
Adobe Commerce versions 2.4.9-alpha2 through 2.4.4-p15 are vulnerable to an incorrect authorization flaw that allows remote, unauthenticated attackers to bypass security controls and gain unauthorized read access to sensitive data. The vulnerability requires specific conditions beyond the attacker's control and does not require user interaction, but carries a moderate CVSS score of 5.9 reflecting high confidentiality impact and high attack complexity.
A reflected cross-site scripted (XSS) vulnerability in Codazon Magento Themes v1.1.0.0 to v2.4.7 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload injected into the cat parameter.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Modern Minds Magento 2 WordPress Integration allows Stored XSS.4.1. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Acrobat Reader versions 24.001.30254, 20.005.30774, 25.001.20672 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Acrobat Reader versions 24.001.30254, 20.005.30774, 25.001.20672 and earlier are affected by a Violation of Secure Design Principles vulnerability that could result in a security feature bypass. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Session hijacking in Adobe Commerce (Magento) 2.4.x through 2.4.9-alpha2 allows remote unauthenticated attackers to take over active user sessions via improper input validation, confirmed actively exploited (CISA KEV). With 73.72% EPSS score (99th percentile) and public exploit code available, this represents a critical, widespread threat to e-commerce platforms. Attackers gain unauthorized access to user accounts including administrative sessions without requiring victim interaction.
SAP NetWeaver AS Java application uses Adobe Document Service, installed with a vulnerable version of OpenSSL.Successful exploitation of known vulnerabilities in the outdated OpenSSL library would. Rated low severity (CVSS 3.4), this vulnerability is low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.22 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Stored XSS in Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 allows authenticated attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and data theft. Exploitation requires user interaction when a victim visits a page containing the compromised field. No patch is currently available.
Unauthorized data disclosure in Adobe Commerce and Magento B2B versions 2.4.4 through 2.4.9-alpha3 stems from an authorization bypass flaw that allows unauthenticated attackers to view sensitive information without user interaction. The vulnerability exploits improper access controls to circumvent security protections, exposing confidential data to remote threat actors. Currently no patch is available for affected versions.
Incorrect authorization controls in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allow unauthenticated remote attackers to bypass security features and gain unauthorized read access to sensitive data without user interaction. The vulnerability stems from improper access restrictions and could expose confidential information across affected Magento Commerce and Commerce B2B deployments. No patch is currently available to remediate this issue.
Incorrect authorization controls in Adobe Commerce 2.4.9-alpha3 through 2.4.4-p16 permit low-privileged authenticated users to bypass security features and access restricted functionality without user interaction. The vulnerability stems from improper authorization checks that fail to enforce proper access controls. No patch is currently available for affected versions.
Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 enables high-privileged attackers to inject malicious scripts into form fields, which execute in victim browsers during page visits. An attacker exploiting this vulnerability can achieve session hijacking and compromise both confidentiality and integrity, though successful exploitation requires user interaction and administrative privileges. No patch is currently available.
Denial-of-service attacks against Adobe Commerce and Magento B2B versions 2.4.4 through 2.4.9-alpha3 are possible through improper input validation that fails to sanitize malicious payloads. An unauthenticated remote attacker can trigger application unavailability by sending specially crafted requests without requiring user interaction. No security patch is currently available for this vulnerability.
Adobe Experience Manager 6.5.23 and earlier contain a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts. When victims access pages containing the injected payload, the JavaScript executes in their browser context, potentially leading to session hijacking, credential theft, or other client-side attacks. No patch is currently available for this vulnerability.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged users to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker can leverage this vulnerability to steal session tokens, credentials, or perform actions on behalf of victims within the AEM environment. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker with valid credentials can compromise other users' sessions and steal sensitive data by crafting specially crafted input. Currently no patch is available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker with valid credentials could leverage this vulnerability to steal session tokens, modify page content, or perform actions on behalf of victims who view the compromised forms. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in users' browsers when the page is viewed. An attacker with login credentials can craft payloads in vulnerable fields to steal session data or perform actions on behalf of victims. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in other users' browsers. An attacker can leverage this to steal session tokens, perform unauthorized actions, or redirect victims to malicious sites when they view compromised pages. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts through form fields that execute in other users' browsers. An attacker with valid credentials can craft payloads to steal session tokens, redirect users, or perform actions on their behalf when victims view affected pages. No patch is currently available for this vulnerability.
Adobe Experience Manager 6.5.23 and earlier contain a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts executed in other users' browsers. An attacker can exploit this to steal credentials, perform unauthorized actions, or deface content when victims access affected pages. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. This requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims within the application context. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. The vulnerability requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when users view the compromised pages. The vulnerability requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker can exploit this vulnerability to steal session tokens, perform unauthorized actions, or redirect users to malicious sites through script execution in victims' browsers. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with valid credentials can exploit this vulnerability to steal session tokens, perform actions on behalf of victims, or redirect users to malicious sites. No patch is currently available for this vulnerability.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in other users' browsers. An attacker can exploit this vulnerability to perform actions on behalf of victims or steal sensitive information when they visit pages containing the compromised fields. No patch is currently available for this vulnerability.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in victims' browsers. An attacker can exploit this vulnerability by injecting JavaScript that runs when other users access pages containing the compromised fields, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker could exploit this to steal session tokens, redirect users, or perform actions on behalf of victims viewing affected pages. No patch is currently available.
Adobe Experience Manager 6.5.23 and earlier contains a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts. When victims visit pages containing the injected payload, the attacker's JavaScript executes in their browser, potentially compromising user sessions or stealing sensitive data. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in other users' browsers. An attacker with low privileges can craft malicious input that persists in the application and compromises confidentiality and integrity for victims who access the affected pages. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in victims' browsers when the contaminated pages are viewed. An attacker with valid credentials can exploit this to steal session tokens, credentials, or perform actions on behalf of affected users. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when users view the affected pages. A low-privileged user can exploit this to perform actions in the context of other users' browsers, potentially compromising session integrity and enabling credential theft or data exfiltration. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged attackers to inject malicious scripts into form fields that execute when victims view affected pages. The vulnerability requires user interaction and can result in session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. The vulnerability requires low-level privileges and user interaction to exploit, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available for this medium-severity issue.
Stored XSS in Adobe Experience Manager versions 6.5.23 and earlier enables low-privileged attackers to embed malicious scripts in form fields that execute when legitimate users view the affected pages. An attacker with basic authentication can inject JavaScript that runs in victims' browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available for this vulnerability.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with login credentials can compromise victim browsers and potentially steal sensitive information or perform unauthorized actions within the application context. No patch is currently available for this vulnerability.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields, which execute in the browsers of users viewing those pages. The vulnerability requires user interaction and has limited scope of impact, affecting confidentiality and integrity but not availability. No patch is currently available for this medium-severity issue.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with low privileges and user interaction can compromise the confidentiality and integrity of victim sessions. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. A low-privileged user can exploit this to perform actions in victim browsers or steal sensitive information, though no patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in victims' browsers when the affected pages are viewed. The vulnerability requires user interaction and is limited to low-impact information disclosure and modification, though it can affect multiple users due to its stored nature. No patch is currently available for this issue.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields, which execute in victims' browsers when they access affected pages. The vulnerability requires user interaction and can result in session hijacking, credential theft, or malware distribution. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in victims' browsers, potentially leading to session hijacking or credential theft. The vulnerability requires user interaction and is currently unpatched, with no active exploitation reported.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in users' browsers when the affected pages are accessed. An attacker with login credentials can craft payloads that persist in the application and compromise victim sessions or steal sensitive data. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers when they access affected pages. An attacker can exploit this to steal session tokens, perform unauthorized actions, or deface content with minimal user interaction required. No patch is currently available for this vulnerability.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields, which execute in victims' browsers when the affected pages are accessed. An attacker with login credentials can exploit this vulnerability to steal session tokens, credentials, or perform actions on behalf of users viewing the compromised forms. No patch is currently available for this vulnerability.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with low privileges can exploit this vulnerability to steal session tokens, credentials, or perform actions on behalf of victims through their browsers. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts through form fields, which execute in victims' browsers when they view affected pages. The vulnerability requires user interaction and network access but can impact confidentiality and integrity across security domains. No patch is currently available.
Adobe Experience Manager 6.5.23 and earlier contains a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts affecting other users who view the compromised pages. When a victim browses to a page containing the injected payload, the malicious JavaScript executes in their browser context, potentially enabling session hijacking or credential theft. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields, which execute in victims' browsers when they view affected pages. This requires user interaction and an authenticated attacker, but could compromise the confidentiality and integrity of user sessions. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier enables authenticated attackers to inject malicious scripts into form fields that execute when users view affected pages. An attacker with login credentials can compromise victim browsers and steal sensitive data or perform actions on their behalf. No patch is currently available.
Arbitrary code execution in Adobe Illustrator 29.8.4, 30.1 and earlier through an out-of-bounds write vulnerability affecting local users who open malicious files. An attacker can exploit this to execute code with the privileges of the targeted user, requiring only that the victim interact with a crafted document. No patch is currently available for this high-severity vulnerability.
Heap buffer overflow in Adobe Illustrator 29.8.4 and 30.1 allows arbitrary code execution under the current user's privileges when opening a malicious file. The vulnerability requires user interaction but carries no patch availability, leaving affected systems at risk. An attacker can achieve code execution by crafting and distributing a malicious document that triggers the memory corruption flaw.
Out-of-bounds memory read in Adobe Illustrator 29.8.4 and 30.1 and earlier enables attackers to disclose sensitive information from process memory by tricking users into opening malicious files. This local vulnerability requires user interaction but poses a high confidentiality risk with no available patch. Affected organizations should restrict file opening from untrusted sources until Adobe releases a fix.
Out-of-bounds memory read in Adobe Illustrator 29.8.4, 30.1 and earlier enables local attackers to extract sensitive data from process memory by tricking users into opening crafted files. No patch is currently available for this vulnerability, which requires user interaction but poses a meaningful confidentiality risk to affected users.
Arbitrary code execution in Adobe Illustrator 29.8.4 and 30.1 through a stack-based buffer overflow when processing malicious files. Local exploitation requires user interaction to open a crafted document, executing code with the privileges of the current user. No patch is currently available for affected versions.
Arbitrary code execution in Adobe Illustrator versions 29.8.4 and 30.1 and earlier results from an out-of-bounds write flaw that executes with user privileges. An attacker can achieve code execution by crafting a malicious file that triggers the vulnerability when opened by a victim. No patch is currently available for this high-severity issue.
Arbitrary code execution in Adobe Illustrator versions 29.8.4 and 30.1 and earlier via an untrusted search path vulnerability allows local attackers to execute malicious code with user privileges. The vulnerability requires a victim to open a specially crafted file, making it exploitable through social engineering or malicious file distribution. No patch is currently available.
Arbitrary code execution in Adobe Acrobat and Acrobat Reader versions 24.001.30307 and earlier stems from a use-after-free memory vulnerability triggered when users open specially crafted files. An attacker can achieve code execution with the privileges of the current user, though exploitation requires victim interaction. No patch is currently available for affected versions.
Improper certificate validation in Adobe Acrobat Reader DC versions 24.001.30307 and earlier allows local attackers to forge digital signatures by spoofing signer identity, bypassing security features that users rely on for document verification. This attack requires user interaction and affects multiple Adobe products including Acrobat DC. No patch is currently available.
Arbitrary code execution in Adobe Acrobat Reader and Acrobat (versions 24.001.30307 and earlier) via a use-after-free vulnerability requires victims to open a malicious file. Local attackers can exploit this to execute code with the privileges of the current user. No patch is currently available.
Integer overflow in psd-tools Python library before 1.12.2 when processing malformed RLE-compressed PSD files leads to heap overflow. PoC and patch available.
Heap memory disclosure in ImageMagick's PSD file parser allows unauthenticated remote attackers to leak sensitive information from process memory by crafting malicious Photoshop files with improperly compressed layer data. Affected versions prior to 7.1.2-15 and 6.9.13-40 fail to properly validate decompressed data sizes, exposing uninitialized heap contents in generated output images. No patch is currently available for this vulnerability.
InDesign versions 21.1, 20.5.1 and earlier contain a heap buffer overflow that enables local denial-of-service attacks when users open malicious files. An attacker can crash the application to disrupt workflow, though no patch is currently available. User interaction is required for exploitation.
Arbitrary code execution in Adobe InDesign versions 21.1, 20.5.1, and earlier through a heap buffer overflow vulnerability triggered by opening a malicious file. The vulnerability requires user interaction and executes with the privileges of the current user, with no patch currently available. Local attackers can leverage this to achieve code execution on affected systems.
Out-of-bounds memory read in Adobe InDesign versions 21.1, 20.5.1 and earlier enables disclosure of sensitive information residing in application memory. Exploitation requires a victim to open a specially crafted malicious file, making this a user-interaction dependent attack vector. No patch is currently available for affected users.
Arbitrary code execution in Adobe InDesign versions 21.0, 19.5.5 and earlier via a heap buffer overflow vulnerability when users open malicious files. The flaw requires user interaction but allows attackers to execute code with the privileges of the current user. No patch is currently available for this high-severity issue.
Adobe Illustrator versions 29.8.3 and 30.0 and earlier are vulnerable to a null pointer dereference that enables local denial-of-service attacks when users open crafted files. An attacker can crash the application by supplying a malicious file, disrupting workflow for targeted users. No patch is currently available for this vulnerability.
Arbitrary code execution in Adobe Illustrator 29.8.3 and 30.0 through an untrusted search path vulnerability that allows attackers to redirect application resource lookups to malicious executables. Exploitation requires local access and user interaction to open a crafted file, but executes with full user privileges and can affect the entire system. No patch is currently available.
Memory disclosure in Adobe InDesign versions 21.0, 19.5.5 and earlier through out-of-bounds read allows attackers to access sensitive information from application memory when users open specially crafted malicious files. This vulnerability requires user interaction to exploit but requires no special privileges to trigger. No patch is currently available for affected versions.
Arbitrary code execution in Adobe InDesign versions 21.0, 19.5.5 and earlier through a heap-based buffer overflow vulnerability triggered by opening a malicious file. Attackers can achieve code execution with the privileges of the affected user, requiring only social engineering to deliver the malicious document. No patch is currently available.
Arbitrary code execution in Adobe InDesign versions 21.0, 19.5.5 and earlier through an uninitialized pointer vulnerability that executes with user privileges when a victim opens a crafted file. This local attack requires user interaction but offers no patch availability and affects all current InDesign users.
Arbitrary code execution in Adobe InDesign versions 21.0, 19.5.5 and earlier through an uninitialized pointer vulnerability that executes with user privileges when a victim opens a crafted file. The attack requires no special privileges or system access, making it a significant risk for InDesign users who may inadvertently open malicious documents. No patch is currently available.
Improper verification of cryptographic signatures in Adobe Acrobat Reader versions up to 24.001.30264, 20.005.30803, and 25.001.20982 allows local attackers to bypass cryptographic protections and gain limited unauthorized write access to PDF documents. The vulnerability requires user interaction with a malicious or crafted PDF containing an improperly signed element. With a CVSS score of 3.3 and local attack vector, this represents a low-severity security feature bypass affecting document integrity verification.
Improper verification of cryptographic signatures in Adobe Acrobat Reader and Acrobat DC versions up to 24.001.30273, 25.001.20982, and 20.005.30803 allows local attackers to bypass security features and gain limited unauthorized write access to PDF documents. Exploitation requires user interaction with a malicious or specially crafted cryptographic signature embedded in a PDF file. No active exploitation has been confirmed at the time of analysis.
Arbitrary code execution in Adobe Acrobat Reader DC and Acrobat DC (all editions through versions 25.001.20982, 24.001.30273, and 20.005.30803) occurs when malicious files manipulate the application's DLL search path. Attackers achieve full code execution with current user privileges through local attack requiring social engineering to open a crafted PDF or related file. Adobe confirms the vulnerability in security bulletin APSB25-119 with patches released for all affected product lines. EPSS data not provided, but the local vector with required user interaction (AV:L/UI:R) and lack of CISA KEV listing suggest lower probability of widespread automated exploitation compared to remote vulnerabilities, though targeted attacks via phishing remain viable.
Adobe Pass versions 3.7.3 and earlier are affected by an Incorrect Authorization vulnerability. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Magento-lts is a long-term support alternative to Magento Community Edition (CE). Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Open redirect vulnerability in Adobe Connect 12.9 and earlier allows remote attackers to redirect users to arbitrary websites by crafting malicious links, requiring victim interaction to click the link. The vulnerability has low confidentiality impact with CVSS 4.3 and no confirmed active exploitation or public exploit code at time of analysis.
DOM-based Cross-Site Scripting in Adobe Connect 12.9 and earlier enables session hijacking when high-privileged administrators interact with attacker-crafted pages. Scope change to 'C' indicates the attacker can pivot beyond the vulnerable component's security boundary, allowing privileged session takeover that impacts both confidentiality and integrity at high levels. No active exploitation confirmed per CISA KEV at time of analysis. Adobe has released security advisory APSB25-70 addressing this vulnerability.
Adobe Commerce versions 2.4.9-alpha2 through 2.4.4-p15 are vulnerable to an incorrect authorization flaw that allows remote, unauthenticated attackers to bypass security controls and gain unauthorized read access to sensitive data. The vulnerability requires specific conditions beyond the attacker's control and does not require user interaction, but carries a moderate CVSS score of 5.9 reflecting high confidentiality impact and high attack complexity.
A reflected cross-site scripted (XSS) vulnerability in Codazon Magento Themes v1.1.0.0 to v2.4.7 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload injected into the cat parameter.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Modern Minds Magento 2 WordPress Integration allows Stored XSS.4.1. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Acrobat Reader versions 24.001.30254, 20.005.30774, 25.001.20672 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Acrobat Reader versions 24.001.30254, 20.005.30774, 25.001.20672 and earlier are affected by a Violation of Secure Design Principles vulnerability that could result in a security feature bypass. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Session hijacking in Adobe Commerce (Magento) 2.4.x through 2.4.9-alpha2 allows remote unauthenticated attackers to take over active user sessions via improper input validation, confirmed actively exploited (CISA KEV). With 73.72% EPSS score (99th percentile) and public exploit code available, this represents a critical, widespread threat to e-commerce platforms. Attackers gain unauthorized access to user accounts including administrative sessions without requiring victim interaction.
SAP NetWeaver AS Java application uses Adobe Document Service, installed with a vulnerable version of OpenSSL.Successful exploitation of known vulnerabilities in the outdated OpenSSL library would. Rated low severity (CVSS 3.4), this vulnerability is low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.22 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.