Adobe Releases Critical Updates for Multiple Products

⚡ TL;DR | Go Straight to the Adobe Security Update Report

Adobe has released its September Security Update addressing 63 vulnerabilities across 7 products. All of these vulnerabilities received a CVSS base score between 5.3 and 7.8, with 35 of them being critical. Exploitation could lead to a number of problems like arbitrary code execution, security feature bypass, arbitrary file system read, and memory leak. For your organization, this could result in the loss or even theft of business-critical or sensitive files and data, disruptions in business operations, and application failures.

As the vulnerabilities affect several different Adobe products and versions, you can find lists of the affected versions per product below.

Affected Software and Versions

Adobe Experience Manager

In Adobe Experience Manager 11 vulnerabilities were fixed, though none of them are critical. For the updates, detailed instructions can be found on Adobe’s bulletin-(APSB22-40). If you are running on Adobe Experience Manager’s Cloud Service, you will automatically receive updates that include new features as well as security and functionality bug fixes.

Product	Affected Version	Updated version	Availability
Adobe Experience Manager (AEM)	AEM Cloud Service (CS)	AEM Cloud Service (CS)	Release Notes
	6.5.13.0 and earlier versions	6.5.14.0	AEM 6.5 Service Pack Release Notes

Adobe Bridge

Another 12 vulnerabilities were patched in Adobe Bridge (APSB22-49) for Windows and macOS, 10 of them critical. Adobe recommends that you update your installation to the newest version via the Creative Cloud desktop app’s update mechanism. Detailed instructions are available on the help page.

Product	Affected Version	Updated version	Availability
Adobe Bridge	12.0.2 and earlier versions	12.0.3	Download Page
	11.1.3 and earlier versions	11.1.4	Download Page

Adobe InDesign 

In Adobe InDesign (APSB22-50) for Windows and macOS, 18 vulnerabilities were fixed, including 8 critical ones. Adobe recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism. You can find more information on their help page.

Product	Affected version	Updated Version
Adobe InDesign	17.3 and earlier versions	17.4
	16.4.2 and earlier versions	16.4.3

Adobe Photoshop

In Adobe Photoshop 2021 and 2022 (APSB22-52) for Windows and macOS, 10 vulnerabilities have been patched, 9 of which were critical. Adobe recommends that you update your installation to the newest version via the Creative Cloud desktop app’s update mechanism. You can find more information on the help page.

Product	Affected version	Updated Version
Photoshop 2021	22.5.8 and earlier versions	22.5.9
Photoshop 2022	23.4.2 and earlier versions	23.5

Adobe InCopy 

7 vulnerabilities were fixed in Adobe InCopy (APSB22-53) for Windows and macOS, 5 of which are critical. You are advised to update your software installations via the Creative Cloud desktop app updater, or by navigating to the InCopy Help menu and clicking “Updates.” More information can be found on the help page.

Product	Affected version	Updated Version
Adobe InCopy	17.3 and earlier version	17.4
	16.4.2 and earlier version	16.4.3

Adobe Animate

In Adobe Animate 2021 and 2022 (APSB22-54) 2 critical vulnerabilities were patched that could lead to arbitrary code execution in the context of the current user. Adobe recommends that you update your installation using the Creative Cloud desktop app’s updater. You can find more details on the help page.

Product	Affected version	Updated Version	Availability
Adobe Animate 2021	21.0.11 and earlier versions	21.0.12	Download Center
Adobe Animate 2022	22.0.7 and earlier versions	22.0.8	Download Center

Adobe Illustrator 

Finally, 3 more vulnerabilities were patched in Adobe Illustrator 2021 and 2022 (APSB22-55), 1 of them critical. These can also be updated via the Creative Cloud desktop app’s update mechanism. For more information, you can check the help page.

Product	Affected version	Updated Version	Availability
Illustrator 2022	26.4 and earlier versions	26.5	Download Page
Illustrator 2021	25.4.7 and earlier versions	25.4.8	Download Page

Discover Vulnerable Devices

You can use Lansweeper to discover any installs of vulnerable Adobe products and versions in your network. This way you have an actionable list of devices and software that might require a patch. Based on this list of affected products and versions shared by Adobe, we have created a special Lansweeper report that will provide a list of all installations in your environment that could be affected by these vulnerabilities.

Adobe September 2022 CVE Codes & Categories

CVE numbers	Vulnerability Category	CVSS base score
CVE-2022-30677	Cross-site Scripting (XSS) (CWE-79)	5.4
CVE-2022-30678	Cross-site Scripting (XSS) (CWE-79)	5.4
CVE-2022-30680	Cross-site Scripting (XSS) (CWE-79)	5.4
CVE-2022-30681	Cross-site Scripting (Stored XSS) (CWE-79)	5.4
CVE-2022-30682	Cross-site Scripting (Stored XSS) (CWE-79)	6.4
CVE-2022-30683	Violation of Secure Design Principles (CWE-657)	5.3
CVE-2022-30684	Cross-site Scripting (Reflected XSS) (CWE-79)	5.4
CVE-2022-30685	Cross-site Scripting (Reflected XSS) (CWE-79)	5.4
CVE-2022-30686	Cross-site Scripting (Reflected XSS) (CWE-79)	5.4
CVE-2022-35664	Cross-site Scripting (Reflected XSS) (CWE-79)	5.4
CVE-2022-34218	Cross-site Scripting (Reflected XSS) (CWE-79)	5.4
CVE-2022-35699	Out-of-bounds Write (CWE-787)	7.8
CVE-2022-35700	Out-of-bounds Write (CWE-787)	7.8
CVE-2022-35701	Out-of-bounds Write (CWE-787)	7.8
CVE-2022-35702	Out-of-bounds Read (CWE-125)	7.8
CVE-2022-35703	Out-of-bounds Read (CWE-125)	7.8
CVE-2022-35704	Use After Free (CWE-416)	7.8
CVE-2022-35705	Out-of-bounds Read (CWE-125)	7.8
CVE-2022-35706	Heap-based Buffer Overflow (CWE-122)	7.8
CVE-2022-35707	Out-of-bounds Read (CWE-125)	7.8
CVE-2022-35708	Heap-based Buffer Overflow (CWE-122)	7.8
CVE-2022-35709	Use After Free (CWE-416)	5.5
CVE-2022-38425	Use After Free (CWE-416)	5.5
CVE-2022-28851 (This CVE is only available in the latest version, ID 17.4)	Improper Input Validation (CWE-20)	7.5
CVE-2022-28852	Out-of-bounds Write (CWE-787)	7.8
CVE-2022-28853	Out-of-bounds Write (CWE-787)	7.8
CVE-2022-28854	Out-of-bounds Read (CWE-125)	5.5
CVE-2022-28855	Out-of-bounds Read (CWE-125)	5.5
CVE-2022-28856	Out-of-bounds Read (CWE-125)	5.5
CVE-2022-28857	Out-of-bounds Read (CWE-125)	5.5
CVE-2022-30671	Out-of-bounds Read (CWE-125)	5.5
CVE-2022-30672	Out-of-bounds Read (CWE-125)	5.5
CVE-2022-30673	Out-of-bounds Read (CWE-125)	5.5
CVE-2022-30674	Out-of-bounds Read (CWE-125)	5.5
CVE-2022-30675	Out-of-bounds Read (CWE-125)	5.5
CVE-2022-30676	Out-of-bounds Read (CWE-125)	5.5
CVE-2022-38413	Heap-based Buffer Overflow (CWE-122)	7.8
CVE-2022-38414	Heap-based Buffer Overflow (CWE-122)	7.8
CVE-2022-38415	Heap-based Buffer Overflow (CWE-122)	7.8
CVE-2022-38416	Out-of-bounds Read (CWE-125)	7.8
CVE-2022-38417	Out-of-bounds Read (CWE-125)	7.8
CVE-2022-35713	Out-of-bounds Write (CWE-787)	7.8
CVE-2022-38426	Access of Uninitialized Pointer (CWE-824)	7.8
CVE-2022-38427	Access of Uninitialized Pointer (CWE-824)	7.8
CVE-2022-38428	Use After Free (CWE-416)	5.5
CVE-2022-38429	Out-of-bounds Read (CWE-125)	7.8
CVE-2022-38430	Out-of-bounds Read (CWE-125)	7.8
CVE-2022-38431	Out-of-bounds Read (CWE-125)	7.8
CVE-2022-38432	Heap-based Buffer Overflow (CWE-122)	7.8
CVE-2022-38433	Heap-based Buffer Overflow (CWE-122)	7.8
CVE-2022-38434	Use After Free (CWE-416)	7.8
CVE-2022-38401	Heap-based Buffer Overflow (CWE-122)	7.8
CVE-2022-38402	Out-of-bounds Read (CWE-125)	7.8
CVE-2022-38403	Out-of-bounds Read (CWE-125)	7.8
CVE-2022-38404	Heap-based Buffer Overflow (CWE-122)	7.8
CVE-2022-38405	Heap-based Buffer Overflow (CWE-122)	7.8
CVE-2022-38406	Out-of-bounds Read (CWE-125)	5.5
CVE-2022-38407	Out-of-bounds Read (CWE-125)	5.5
CVE-2022-38411	Heap-based Buffer Overflow (CWE-122)	7.8
CVE-2022-38412	Out-of-bounds Read (CWE-125)	7.8
CVE-2022-38408	Improper Input Validation (CWE-20)	7.8
CVE-2022-38409	Out-of-bounds Read (CWE-125)	5.5
CVE-2022-38410	Out-of-bounds Read (CWE-125)	5.5