Adobe Fixes 19 Critical Vulnerabilities Across 4 Products

⚡ TL;DR | Go Straight to the Adobe Acrobat Vulnerability Audit Report

Adobe has released a series of security updates for Adobe Acrobat and Reader, Commerce, Dimension, and XMP Toolkit. The updates address a total of 37 vulnerabilities that range in severity from moderate to critical. Successful exploitation of these vulnerabilities could lead to all kinds of issues like arbitrary code execution, application denial of service, privilege escalation, memory leak, and more. We have added a new report to Lansweeper to help you locate vulnerable installations.

Affected Adobe Software and Fixed Versions

Adobe released updates for 4 of its products: Acrobat and Reader, Commerce, Dimension, and XMP Toolkit. We’ve broken down the updates by product below with an overview of the affected and fixed versions. You can find a full overview of all vulnerabilities addressed below.

Adobe Acrobat and Reader

The updates to Adobe Acrobat and Reader for Windows and macOS are the largest and address 30 vulnerabilities, 16 of which are critical. These vulnerabilities could lead to application denial-of-service, security feature bypass, memory leak, and arbitrary code execution . Detailed update instructions can be found on Adobe’s bulletin.

Product	Track	Affected version	Updated Version
Acrobat DC	Continuous	23.003.20244 and earlier versions	23.003.20269
Acrobat Reader DC	Continuous	23.003.20244 and earlier versions	23.003.20269
Acrobat 2020	Classic 2020	20.005.30467 and earlier versions	20.005.30516.10516 for Mac 20.005.30514.10514 for Windows
Acrobat Reader 2020	Classic 2020	20.005.30467 and earlier versions	20.005.30516.10516 for Mac 20.005.30514.10514 for Windows

Based on this list of affected products and versions shared by Adobe, we have created a special Lansweeper report that will provide a list of all installations in your environment that could be affected by these vulnerabilities.

Adobe Commerce

3 vulnerabilities were patched in Adobe Commerce and Magento Open Source for all platforms, 1 of which is critical. Successful exploitation of these issues could lead to arbitrary code execution, privilege escalation, and arbitrary file system read. Please note that in the table below, the products marked with an * are available to customers in the extended support program.

Product	Affected version	Updated Version	Installation Instructions
Adobe Commerce	2.4.6-p1 and earlier 2.4.5-p3 and earlier 2.4.4-p4 and earlier 2.4.3-ext-3 and earlier* 2.4.2-ext-3 and earlier* 2.4.1-ext-3 and earlier* 2.4.0-ext-3 and earlier* 2.3.7-p4-ext-3 and earlier*	2.4.6-p2 for 2.4.6 and earlier 2.4.5-p4 for 2.4.5-p3 and earlier 2.4.4-p5 for 2.4.4-p3 and earlier 2.4.3-ext-4 for 2.4.3-ext-2 and earlier* 2.4.2-ext-4 for 2.4.2-ext-2 and earlier* 2.4.1-ext-4 for 2.4.1-ext-2 and earlier* 2.4.0-ext-4 for 2.4.0-ext-2 and earlier* 2.3.7-p4-ext-4 for 2.3.7-p4-ext-2 and earlier*	2.4.x release notes
Magento Open Source	2.4.6-p1 and earlier 2.4.5-p3 and earlier 2.4.4-p4 and earlier	2.4.6-p2 for 2.4.6 and earlier 2.4.5-p4 for 2.4.5-p3 and earlier 2.4.4-p5 for 2.4.4-p3 and earlier

Adobe Dimension 

In Adobe Dimension for Windows and macOS, 3 vulnerabilities were fixed, including 2 critical ones. Adobe recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism. You can find more information on their help page.

Product	Affected version	Updated Version	Availability
Adobe Dimension	3.4.9 and earlier versions	3.4.10	Download center

Adobe XMP Toolkit SDK

1 more important vulnerability was fixed in Adobe XMP Toolkit SDK for all platforms. Exploitation could lead to application denial of service. Adobe recommends that you update your installation to the newest version.

Product	Affected version	Updated Versions	Availability
Adobe XMP-Toolkit-SDK	2022.06 and earlier versions	2023.07	Release notes

Discover Vulnerable Adobe Installations

Just like we did for the Adobe Acrobat (Reader) vulnerabilities above, you can use Lansweeper to discover any installs of the vulnerable Adobe products and versions in your network. This way you have an actionable list of devices and software that might require a patch.

Adobe Security Update August 2023 CVE Codes & Categories

CVE number(s)	Vulnerability Category	CVSS base score
CVE-2023-29320	Improper Access Control	8.6
CVE-2023-29299	Improper Input Validation	5.6
CVE-2023-29303	Use After Free	5.5
CVE-2023-38222	Use After Free	7.8
CVE-2023-38223	Access of Uninitialized Pointer	7.8
CVE-2023-38224	Use After Free	7.8
CVE-2023-38225	Use After Free	7.8
CVE-2023-38226	Access of Uninitialized Pointer	7.8
CVE-2023-38227	Use After Free	7.8
CVE-2023-38228	Use After Free	7.8
CVE-2023-38229	Out-of-bounds Read	7.8
CVE-2023-38230	Use After Free	7.8
CVE-2023-38231	Out-of-bounds Write	7.8
CVE-2023-38232	Out-of-bounds Read	7.8
CVE-2023-38233	Out-of-bounds Write	7.8
CVE-2023-38234	Access of Uninitialized Pointer	7.8
CVE-2023-38235	Out-of-bounds Read	7.8
CVE-2023-38236	Out-of-bounds Read	5.5
CVE-2023-38237	Out-of-bounds Read	5.5
CVE-2023-38238	Use After Free	4.0
CVE-2023-38239	Out-of-bounds Read	5.5
CVE-2023-38240	Out-of-bounds Read	5.5
CVE-2023-38241	Out-of-bounds Read	5.5
CVE-2023-38242	Out-of-bounds Read	5.5
CVE-2023-38243	Use After Free	5.5
CVE-2023-38244	Out-of-bounds Read	5.5
CVE-2023-38245	Improper Input Validation	6.1
CVE-2023-38246	Access of Uninitialized Pointer	7.8
CVE-2023-38247	Out-of-bounds Read	3.3
CVE-2023-38248	Out-of-bounds Read	3.3
CVE-2023-38207	CVE-2023-38207	5.3
CVE-2023-38208	Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)	9.1
CVE-2023-38209	Improper Access Control	6.5
CVE-2023-38211	Use After Free	7.8
CVE-2023-38212	Heap-based Buffer Overflow	7.8
CVE-2023-38213	Out-of-bounds Read	3.3
CVE-2023-38210	Uncontrolled Resource Consumption	5.5