Cross-site Scripting XSS

CVE-2019-16466 (v3: 6.1) 15 Jan 2020
Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have a reflected cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2019-16467 (v3: 6.1) 15 Jan 2020
Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have a reflected cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2019-8085 (v3: 6.1) 25 Oct 2019
Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a reflected cross site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2019-8083 (v3: 6.1) 25 Oct 2019
Adobe Experience Manager versions 6.5, 6.4 and 6.3 have a cross site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2019-8084 (v3: 6.1) 25 Oct 2019
Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a reflected cross site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2019-8078 (v3: 6.1) 24 Oct 2019
Adobe Experience Manager versions 6.4, 6.3 and 6.2 have a reflected cross site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2019-8079 (v3: 6.1) 24 Oct 2019
Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a stored cross site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2019-8080 (v3: 6.1) 24 Oct 2019
Adobe Experience Manager versions 6.4 and 6.3 have a stored cross site scripting vulnerability. Successful exploitation could lead to privilege escalation.
CVE-2019-8089 (v3: 6.1) 22 Oct 2019
Adobe Experience Manager Forms versions 6.3-6.5 have a reflected cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2019-7954 (v3: 6.1) 18 Jul 2019
Adobe Experience Manager version 6.4 and ealier have a Stored Cross-site Scripting vulnerability. Successful exploitation could lead to Sensitive Information disclosure in the context of the current user.
CVE-2019-7955 (v3: 6.1) 18 Jul 2019
Adobe Experience Manager version 6.4 and ealier have a Reflected Cross-site Scripting vulnerability. Successful exploitation could lead to Sensitive Information disclosure in the context of the current user.
CVE-2019-7129 (v3: 6.1) 29 May 2019
Adobe Experience Manager Forms versions 6.2, 6.3 and 6.4 have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2019-7092 (v3: 6.1) 24 May 2019
ColdFusion versions Update 1 and earlier, Update 7 and earlier, and Update 15 and earlier have a cross site scripting vulnerability. Successful exploitation could lead to information disclosure .
CVE-2018-19724 (v3: 6.1) 28 Jan 2019
Adobe Experience Manager Forms versions 6.2, 6.3 and 6.4 have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2018-19726 (v3: 6.1) 28 Jan 2019
Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2018-19727 (v3: 6.1) 28 Jan 2019
Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a reflected cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2018-15969 (v3: 6.1) 17 Oct 2018
Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2018-15970 (v3: 6.1) 17 Oct 2018
Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a reflected cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2018-15971 (v3: 6.1) 17 Oct 2018
Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a reflected cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2018-15972 (v3: 6.1) 17 Oct 2018
Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2018-15973 (v3: 6.1) 17 Oct 2018
Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2018-5005 (v3: 6.1) 6 Sep 2018
Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a Cross-site Scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2018-12806 (v3: 6.1) 29 Aug 2018
Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a reflected cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2018-4921 (v3: 6.1) 19 May 2018
Adobe Connect versions 9.7 and earlier have an exploitable unrestricted SWF file upload vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-4929 (v3: 6.1) 19 May 2018
Adobe Experience Manager versions 6.2 and earlier have an exploitable stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2018-4930 (v3: 6.1) 19 May 2018
Adobe Experience Manager versions 6.3 and earlier have an exploitable Cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2018-4931 (v3: 6.1) 19 May 2018
Adobe Experience Manager versions 6.1 and earlier have an exploitable stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2018-4940 (v3: 6.1) 19 May 2018
Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Cross-Site Scripting vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-4941 (v3: 6.1) 19 May 2018
Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Cross-Site Scripting vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-4875 (v3: 6.1) 27 Feb 2018
Adobe Experience Manager versions 6.1 and 6.0 are vulnerable to a reflected cross-site scripting vulnerability related to the handling of malicious content embedded in image files uploaded to the DAM.
CVE-2018-4876 (v3: 6.1) 27 Feb 2018
Adobe Experience Manager versions 6.3, 6.2, and 6.1 are vulnerable to cross-site scripting via a bypass of the Sling XSSAPI#getValidHref function.
CVE-2017-11287 (v3: 6.1) 9 Dec 2017
An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A reflected cross-site scripting vulnerability exists that can result in information disclosure.
CVE-2017-11288 (v3: 6.1) 9 Dec 2017
An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A reflected cross-site scripting vulnerability exists that can result in information disclosure.
CVE-2017-11289 (v3: 6.1) 9 Dec 2017
An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A reflected cross-site scripting vulnerability exists that can result in information disclosure.
CVE-2017-11296 (v3: 6.1) 9 Dec 2017
An issue was discovered in Adobe Experience Manager 6.3, 6.2, 6.1, 6.0. A cross-site scripting vulnerability in Apache Sling Servlets Post 2.3.20 has been resolved in Adobe Experience Manager.
CVE-2017-3109 (v3: 6.1) 9 Dec 2017
An issue was discovered in Adobe Experience Manager 6.3, 6.2, 6.1, 6.0. Adobe Experience Manager has a reflected cross-site scripting vulnerability in the HtmlRendererServlet.
CVE-2017-11285 (v3: 6.1) 1 Dec 2017
Adobe ColdFusion has a cross-site scripting (XSS) vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.
CVE-2017-3102 (v3: 6.1) 17 Jul 2017
Adobe Connect versions 9.6.1 and earlier have a reflected cross-site scripting vulnerability. Successful exploitation could lead to a reflected cross-site scripting attack.
CVE-2017-3103 (v3: 6.1) 17 Jul 2017
Adobe Connect versions 9.6.1 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to a stored cross-site scripting attack.
CVE-2017-3008 (v3: 6.1) 27 Apr 2017
Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a reflected cross-site scripting vulnerability.
CVE-2017-2969 (v3: 6.1) 15 Feb 2017
Adobe Campaign versions 16.4 Build 8724 and earlier have a cross-site scripting (XSS) vulnerability.
CVE-2016-6933 (v3: 6.1) 15 Dec 2016
Adobe Experience Manager Forms versions 6.2 and earlier, LiveCycle 11.0.1, LiveCycle 10.0.4 have an input validation issue in the AACComponent that could be used in cross-site scripting attacks.
CVE-2016-6934 (v3: 6.1) 15 Dec 2016
Adobe Experience Manager Forms versions 6.2 and earlier, LiveCycle 11.0.1, LiveCycle 10.0.4 have an input validation issue in the PMAdmin module that could be used in cross-site scripting attacks.
CVE-2016-7882 (v3: 6.1) 15 Dec 2016
Adobe Experience Manager versions 6.2 and earlier have an input validation issue in the WCMDebug filter that could be used in cross-site scripting attacks.
CVE-2016-7883 (v3: 6.1) 15 Dec 2016
Adobe Experience Manager version 6.2 has an input validation issue in create Launch wizard that could be used in cross-site scripting attacks.
CVE-2016-7884 (v3: 6.1) 15 Dec 2016
Adobe Experience Manager versions 6.1 and earlier have an input validation issue in the DAM create assets that could be used in cross-site scripting attacks.
CVE-2016-7851 (v3: 6.1) 8 Nov 2016
Adobe Connect version 9.5.6 and earlier does not adequately validate input in the events registration module. This vulnerability could be exploited in cross-site scripting attacks.
CVE-2016-4168 (v3: 6.1) 9 Aug 2016
Cross-site scripting (XSS) vulnerability in Adobe Experience Manager 5.6.1, 6.0, and 6.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2016-4170 (v3: 6.1) 9 Aug 2016
Cross-site scripting (XSS) vulnerability in Adobe Experience Manager 5.6.1, 6.0, 6.1, and 6.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2016-4159 (v3: 6.1) 16 Jun 2016
Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before Update 20, 11 before Update 9, and 2016 before Update 2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Bounds of a Memory Buffer

CVE-2020-3759 (v3: 7.5) 13 Feb 2020
Adobe Digital Editions versions 4.5.10 and below have a buffer errors vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7104 (v3: 9.8) 23 May 2019
Adobe Shockwave Player versions 12.3.4.204 and earlier have a memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2018-12813 (v3: 9.8) 17 Oct 2018
Adobe Digital Editions versions 4.5.8 and below have a heap overflow vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2018-12814 (v3: 9.8) 17 Oct 2018
Adobe Digital Editions versions 4.5.8 and below have a heap overflow vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2018-12823 (v3: 9.8) 17 Oct 2018
Adobe Digital Editions versions 4.5.8 and below have a heap overflow vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2017-11308 (v3: 9.8) 19 May 2018
Adobe Acrobat and Reader versions 2017.012.20098 and earlier, 2017.011.30066 and earlier, 2015.006.30355 and earlier, 11.0.22 and earlier have an exploitable heap overflow vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-4917 (v3: 9.8) 19 May 2018
Adobe Acrobat and Reader versions 2018.009.20050 and earlier, 2017.011.30070 and earlier, 2015.006.30394 and earlier have an exploitable heap overflow vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-4904 (v3: 8.8) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability is an instance of a heap overflow vulnerability. The vulnerability is triggered by crafted TIFF data within an XPS file, which causes an out of bounds memory access. An attacker can potentially leverage the vulnerability to corrupt sensitive data or execute arbitrary code.
CVE-2018-4910 (v3: 8.8) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability is an instance of a heap overflow vulnerability in the JavaScript engine. The vulnerability is triggered by a PDF file with crafted JavaScript code that manipulates the optional content group (OCG). A successful attack can lead to code corruption, control-flow hijack, or a code re-use attack.
CVE-2012-0771 (v3: 8.8) 19 Feb 2018
Adobe Shockwave Player before 11.6.4.634 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-0759.
CVE-2017-16364 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This issue is due to an untrusted pointer dereference when handling number format dictionary entries. In this scenario, the input is crafted in way that the computation results in pointers to memory locations that do not belong to the relevant process address space. The dereferencing operation is a read operation, and an attack can result in sensitive data exposure.
CVE-2017-16368 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability leads to a stack-based buffer overflow condition in the internal Unicode string manipulation module. It is triggered by an invalid PDF file, where a crafted Unicode string causes an out of bounds memory access of a stack allocated buffer, due to improper checks when manipulating an offset of a pointer to the buffer. Attackers can exploit the vulnerability and achieve arbitrary code execution if they can effectively control the accessible memory.
CVE-2017-16371 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This issue is due to an untrusted pointer dereference in the JavaScript engine. In this scenario, the input is crafted in a way that the computation results in pointers to memory locations that do not belong to the relevant process address space. The dereferencing operation is a read operation, and an attack can result in sensitive data exposure.
CVE-2017-16372 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This issue is due to untrusted pointer dereference in the JavaScript API engine. In this scenario, the JavaScript input is crafted in way that the computation results with pointer to memory locations that do not belong to the relevant process address space. The dereferencing operation is a read operation, and an attack can result with sensitive data exposure.
CVE-2017-16373 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This issue is due to an untrusted pointer dereference. In this scenario, the input is crafted in way that the computation results in pointers to memory locations that do not belong to the relevant process address space. The dereferencing operation is a read operation, and an attack can result in sensitive data exposure.
CVE-2017-16375 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This issue is due to an untrusted pointer dereference in the JavaSscript API engine. In this scenario, the JavaScript input is crafted in way that the computation results in pointers to memory locations that do not belong to the relevant process address space. The dereferencing operation is a read operation, and an attack can result in sensitive data exposure.
CVE-2017-16381 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. The vulnerability is caused by a buffer access with an incorrect length value when processing TIFF files embedded within an XPS document. Crafted TIFF image input causes a mismatch between allocated buffer size and the access allowed by the computation. If an attacker can adequately control the accessible memory then this vulnerability can be leveraged to achieve arbitrary code execution.
CVE-2017-16383 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability is an instance of a heap overflow vulnerability when processing a JPEG file embedded within an XPS document.
CVE-2017-16385 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. The vulnerability is caused by a buffer access with an incorrect length value in TIFF parsing during XPS conversion. Crafted TIFF image input causes a mismatch between allocated buffer size and the access allowed by the computation. If an attacker can adequately control the accessible memory then this vulnerability can be leveraged to achieve arbitrary code execution.
CVE-2017-16386 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability occurs as a result of a computation that reads data that is past the end of the target buffer; the computation is part of the XPS2PDF conversion engine. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.
CVE-2017-16387 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability occurs as a result of a computation that reads data that is past the end of the target buffer; the computation is part of the JPEG2000 codec. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.
CVE-2017-16392 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. The vulnerability is caused by a buffer access with an incorrect length value in the JPEG processing module. Crafted input with an unexpected JPEG file segment size causes a mismatch between allocated buffer size and the access allowed by the computation. If an attacker can adequately control the accessible memory then this vulnerability can be leveraged to achieve arbitrary code execution.
CVE-2017-16395 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. The vulnerability is caused by a buffer access with an incorrect length value in the image conversion module when processing Enhanced Metafile Format (EMF). Crafted EMF input (EMR_STRETCHDIBITS) causes a mismatch between allocated buffer size and the access allowed by the computation. If an attacker can adequately control the accessible memory then this vulnerability can be leveraged to achieve arbitrary code execution.
CVE-2017-16396 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. The vulnerability is caused by a buffer access with an incorrect length value in the TIFF processing module. Crafted input causes a mismatch between allocated buffer size and the access allowed by the computation. If an attacker can adequately control the accessible memory then this vulnerability can be leveraged to achieve arbitrary code execution.
CVE-2017-16411 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability occurs as a result of a computation that reads data that is past the end of the target buffer; the computation is part of the WebCapture module, related to an internal hash table implementation. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.
CVE-2017-11293 (v3: 9.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. An exploitable memory corruption vulnerability exists. Successful exploitation could lead to arbitrary code execution.
CVE-2017-11295 (v3: 9.8) 9 Dec 2017
An issue was discovered in Adobe DNG Converter 9.12.1 and earlier versions. An exploitable memory corruption vulnerability exists. Successful exploitation could lead to arbitrary code execution.
CVE-2017-11297 (v3: 5.3) 9 Dec 2017
An issue was discovered in Adobe Digital Editions 4.5.6 and earlier versions. An exploitable memory corruption vulnerability exists, which could lead to disclosure of memory addresses.
CVE-2017-11298 (v3: 5.3) 9 Dec 2017
An issue was discovered in Adobe Digital Editions 4.5.6 and earlier versions. An exploitable memory corruption vulnerability exists, which could lead to disclosure of memory addresses.
CVE-2017-11299 (v3: 5.3) 9 Dec 2017
An issue was discovered in Adobe Digital Editions 4.5.6 and earlier versions. An exploitable memory corruption vulnerability exists, which could lead to disclosure of memory addresses.
CVE-2017-11300 (v3: 5.3) 9 Dec 2017
An issue was discovered in Adobe Digital Editions 4.5.6 and earlier versions. An exploitable memory corruption vulnerability exists, which could lead to disclosure of memory addresses.
CVE-2017-11301 (v3: 5.3) 9 Dec 2017
An issue was discovered in Adobe Digital Editions 4.5.6 and earlier versions. An exploitable memory corruption vulnerability exists, which could lead to disclosure of memory addresses.
CVE-2017-11302 (v3: 9.8) 9 Dec 2017
An issue was discovered in Adobe InDesign 12.1.0 and earlier versions. An exploitable memory corruption vulnerability exists. Successful exploitation could lead to arbitrary code execution.
CVE-2017-11303 (v3: 9.8) 9 Dec 2017
An issue was discovered in Adobe Photoshop 18.1.1 (2017.1.1) and earlier versions. An exploitable memory corruption vulnerability exists. Successful exploitation could lead to arbitrary code execution.
CVE-2017-11275 (v3: 7.5) 11 Aug 2017
Adobe Digital Editions 4.5.4 and earlier has an exploitable heap overflow vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2017-11276 (v3: 7.5) 11 Aug 2017
Adobe Digital Editions 4.5.4 and earlier has an exploitable memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2017-11277 (v3: 7.5) 11 Aug 2017
Adobe Digital Editions 4.5.4 and earlier has an exploitable memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2017-11278 (v3: 7.5) 11 Aug 2017
Adobe Digital Editions 4.5.4 and earlier has an exploitable memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2017-11280 (v3: 7.5) 11 Aug 2017
Adobe Digital Editions 4.5.4 and earlier has an exploitable memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2017-3091 (v3: 7.5) 11 Aug 2017
Adobe Digital Editions 4.5.4 and earlier versions 4.5.4 and earlier have an exploitable memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2017-3086 (v3: 9.8) 20 Jun 2017
Adobe Shockwave versions 12.2.8.198 and earlier have an exploitable memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2017-3088 (v3: 10) 20 Jun 2017
Adobe Digital Editions versions 4.5.4 and earlier have an exploitable memory corruption vulnerability in the PDF runtime engine. Successful exploitation could lead to arbitrary code execution.
CVE-2017-3089 (v3: 9.8) 20 Jun 2017
Adobe Digital Editions versions 4.5.4 and earlier have an exploitable memory corruption vulnerability in the PDF imaging model. Successful exploitation could lead to arbitrary code execution.
CVE-2017-3093 (v3: 9.8) 20 Jun 2017
Adobe Digital Editions versions 4.5.4 and earlier have an exploitable memory corruption vulnerability in the bitmap representation module. Successful exploitation could lead to arbitrary code execution.
CVE-2017-3094 (v3: 9.8) 20 Jun 2017
Adobe Digital Editions versions 4.5.4 and earlier have an exploitable memory corruption vulnerability in the PDF processing engine. Successful exploitation could lead to arbitrary code execution.
CVE-2017-3095 (v3: 9.8) 20 Jun 2017
Adobe Digital Editions versions 4.5.4 and earlier have an exploitable memory corruption vulnerability in the PDF parsing engine. Successful exploitation could lead to arbitrary code execution.
CVE-2017-3096 (v3: 9.8) 20 Jun 2017
Adobe Digital Editions versions 4.5.4 and earlier have an exploitable memory corruption vulnerability in the character code mapping module. Successful exploitation could lead to arbitrary code execution.
CVE-2017-2973 (v3: 9.8) 15 Feb 2017
Adobe Digital Editions versions 4.5.3 and earlier have an exploitable heap overflow vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2016-7856 (v3: 9.8) 15 Dec 2016
Adobe DNG Converter versions 9.7 and earlier have an exploitable memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2016-7866 (v3: 9.8) 15 Dec 2016
Adobe Animate versions 15.2.1.95 and earlier have an exploitable memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution.

Improper Input Validation

CVE-2020-3794 (v3: 9.8) 25 Mar 2020
ColdFusion versions ColdFusion 2016, and ColdFusion 2018 have a file inclusion vulnerability. Successful exploitation could lead to arbitrary code execution of files located in the webroot or its subdirectory.
CVE-2018-15960 (v3: 7.5) 25 Sep 2018
Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a use of a component with a known vulnerability vulnerability. Successful exploitation could lead to arbitrary file overwrite.
CVE-2018-12807 (v3: 5.3) 29 Aug 2018
Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have an input validation bypass vulnerability. Successful exploitation could lead to unauthorized information modification.
CVE-2018-4992 (v3: 7.8) 19 May 2018
Adobe Creative Cloud Desktop Application versions 4.4.1.298 and earlier have an exploitable Improper input validation vulnerability. Successful exploitation could lead to local privilege escalation.
CVE-2018-4943 (v3: 8.8) 19 May 2018
Adobe PhoneGap Push Plugin versions 1.8.0 and earlier have an exploitable Same-Origin Method Execution vulnerability. Successful exploitation could lead to JavaScript code execution in the context of the PhoneGap app.
CVE-2017-3098 (v3: 9.8) 20 Jun 2017
Adobe Captivate versions 9 and earlier have a remote code execution vulnerability in the quiz reporting feature that could be abused to read and write arbitrary files to the server.
CVE-2017-2989 (v3: 9.1) 12 Apr 2017
Adobe Campaign versions Build 8770 and earlier have an input validation bypass that could be exploited to read, write, or delete data from the Campaign database.
CVE-2016-4165 (v3: 9.8) 16 Jun 2016
The extension manager in Adobe Brackets before 1.7 allows attackers to have an unspecified impact via invalid input.
CVE-2016-1115 (v3: 5.9) 11 May 2016
Adobe ColdFusion 10 before Update 19, 11 before Update 8, and 2016 before Update 1 mishandles wildcards in name fields of X.509 certificates, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.
CVE-2015-0301 (v2: 10) 13 Jan 2015
Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 do not properly validate files, which has unspecified impact and attack vectors.
CVE-2013-3342 (v2: 10) 16 May 2013
Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 do not properly handle operating-system domain blacklists, which has unspecified impact and attack vectors.
CVE-2012-4176 (v2: 10) 23 Oct 2012
Array index error in Adobe Shockwave Player before 11.6.8.638 allows attackers to execute arbitrary code via unspecified vectors.
CVE-2011-2442 (v2: 9.3) 15 Sep 2011
Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before 10.1.1 allow attackers to execute arbitrary code via unspecified vectors, related to a "logic error vulnerability."
CVE-2011-2092 (v2: 10) 16 Jun 2011
Adobe LiveCycle Data Services 3.1 and earlier, LiveCycle 9.0.0.2 and earlier, and BlazeDS 4.0.1 and earlier do not properly restrict creation of classes during deserialization of (1) AMF and (2) AMFX data, which allows attackers to have an unspecified impact via unknown vectors, related to a "deserialization vulnerability."
CVE-2011-2093 (v2: 5) 16 Jun 2011
Adobe LiveCycle Data Services 3.1 and earlier, LiveCycle 9.0.0.2 and earlier, and BlazeDS 4.0.1 and earlier do not properly handle object graphs, which allows attackers to cause a denial of service via unspecified vectors, related to a "complex object graph vulnerability."
CVE-2011-2118 (v2: 9.3) 16 Jun 2011
The FLV ASSET Xtra component in Adobe Shockwave Player before 11.6.0.626 allows attackers to execute arbitrary code via unspecified vectors, related to an "input validation vulnerability."
CVE-2011-0581 (v2: 4.3) 10 Feb 2011
Multiple CRLF injection vulnerabilities in Adobe ColdFusion 8.0 through 9.0.1 allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified tags.

Exposure to Unauthorized Actor

CVE-2020-3761 (v3: 7.5) 25 Mar 2020
ColdFusion versions ColdFusion 2016, and ColdFusion 2018 have a remote file read vulnerability. Successful exploitation could lead to arbitrary file read from the coldfusion install directory.
CVE-2019-16468 (v3: 7.5) 15 Jan 2020
Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have an user interface injection vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2019-16469 (v3: 7.5) 15 Jan 2020
Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have an expression language injection vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2019-8072 (v3: 7.5) 27 Sep 2019
ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 and earlier have a Security bypass vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
CVE-2018-19718 (v3: 5.3) 18 Jan 2019
Adobe Connect versions 9.8.1 and earlier have a session token exposure vulnerability. Successful exploitation could lead to exposure of the privileges granted to a session.
CVE-2018-15962 (v3: 5.3) 25 Sep 2018
Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a directory listing vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-15964 (v3: 7.5) 25 Sep 2018
Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a use of a component with a known vulnerability vulnerability. Successful exploitation could lead to information disclosure.
CVE-2017-16369 (v3: 6.5) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability is an instance of a Same Origin Policy security bypass vulnerability, affecting files on the local system, etc.
CVE-2017-11273 (v3: 5.5) 9 Dec 2017
An issue was discovered in Adobe Digital Editions 4.5.6 and earlier versions. Adobe Digital Editions parses crafted XML files in an unsafe manner, which could lead to sensitive information disclosure.
CVE-2017-3111 (v3: 7.5) 9 Dec 2017
An issue was discovered in Adobe Experience Manager 6.3, 6.2, 6.1, 6.0. Sensitive tokens are included in http GET requests under certain circumstances.
CVE-2017-3107 (v3: 7.5) 11 Aug 2017
Adobe Experience Manager 6.3 and earlier has a misconfiguration vulnerability.
CVE-2017-3110 (v3: 7.5) 11 Aug 2017
Adobe Experience Manager 6.1 and earlier has a sensitive data exposure vulnerability.
CVE-2017-3087 (v3: 7.5) 20 Jun 2017
Adobe Captivate versions 9 and earlier have an information disclosure vulnerability resulting from abuse of the quiz reporting feature in Captivate.
CVE-2017-3067 (v3: 7.5) 9 May 2017
Adobe Experience Manager Forms versions 6.2, 6.1, 6.0 have an information disclosure vulnerability resulting from abuse of the pre-population service in AEM Forms.
CVE-2016-7887 (v3: 7.5) 15 Dec 2016
Adobe ColdFusion Builder versions 2016 update 2 and earlier, 3.0.3 and earlier have an important vulnerability that could lead to information disclosure.
CVE-2016-7888 (v3: 5.3) 15 Dec 2016
Adobe Digital Editions versions 4.5.2 and earlier has an important vulnerability that could lead to memory address leak.
CVE-2016-7889 (v3: 7.5) 15 Dec 2016
Adobe Digital Editions versions 4.5.2 and earlier has an issue with parsing crafted XML entries that could lead to information disclosure.
CVE-2016-4253 (v3: 5.3) 9 Aug 2016
The Backup functionality in Adobe Experience Manager 5.6.1, 6.0, 6.1, and 6.2 allows attackers to obtain sensitive information via unspecified vectors.
CVE-2016-4169 (v3: 5.3) 9 Aug 2016
Adobe Experience Manager 6.0, 6.1, and 6.2 allow attackers to obtain sensitive audit log event information via unspecified vectors.
CVE-2016-1035 (v3: 7.5) 12 Apr 2016
Adobe RoboHelp Server 9 before 9.0.1 mishandles SQL queries, which allows attackers to obtain sensitive information via unspecified vectors.
CVE-2015-5088 (v2: 5) 15 Jul 2015
Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, Acrobat and Acrobat Reader DC Classic before 2015.006.30060, and Acrobat and Acrobat Reader DC Continuous before 2015.008.20082 on Windows and OS X allow attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors, a different vulnerability than CVE-2014-8450, CVE-2015-4449, CVE-2015-4450, CVE-2015-5089, and CVE-2015-5092.
CVE-2015-5089 (v2: 5) 15 Jul 2015
Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, Acrobat and Acrobat Reader DC Classic before 2015.006.30060, and Acrobat and Acrobat Reader DC Continuous before 2015.008.20082 on Windows and OS X allow attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors, a different vulnerability than CVE-2014-8450, CVE-2015-4449, CVE-2015-4450, CVE-2015-5088, and CVE-2015-5092.
CVE-2015-4449 (v2: 5) 15 Jul 2015
Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, Acrobat and Acrobat Reader DC Classic before 2015.006.30060, and Acrobat and Acrobat Reader DC Continuous before 2015.008.20082 on Windows and OS X allow attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors, a different vulnerability than CVE-2014-8450, CVE-2015-4450, CVE-2015-5088, CVE-2015-5089, and CVE-2015-5092.
CVE-2014-8068 (v2: 5) 9 Oct 2014
Adobe Digital Editions (DE) 4 does not use encryption for transmission of data to adelogs.adobe.com, which allows remote attackers to obtain sensitive information by sniffing the network, as demonstrated by book-navigation information.
CVE-2013-2737 (v2: 5) 16 May 2013
A JavaScript API in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to obtain sensitive information via unspecified vectors.
CVE-2013-0632 (v2: 10) 17 Jan 2013
administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging in to the RDS component using the default empty password and leveraging this session to access the administrative web interface, as exploited in the wild in January 2013.
CVE-2013-0631 (v2: 5) 9 Jan 2013
Adobe ColdFusion 9.0, 9.0.1, and 9.0.2 allows attackers to obtain sensitive information via unspecified vectors, as exploited in the wild in January 2013.
CVE-2011-0736 (v2: 4.3) 1 Feb 2011
** DISPUTED ** Adobe ColdFusion 9.0.1 CHF1 and earlier, when a web application is configured to use a DBMS, allows remote attackers to obtain potentially sensitive information about the database structure via an id=- query to a .cfm file. NOTE: the vendor disputes the significance of this issue because the Site-wide Error Handler and Debug Output Settings sections of the ColdFusion Lockdown guide explain the requirement for settings that prevent this information disclosure.
CVE-2011-0737 (v2: 5) 1 Feb 2011
** DISPUTED ** Adobe ColdFusion 9.0.1 CHF1 and earlier allows remote attackers to obtain sensitive information via an id=- query to a .cfm file, which reveals the installation path in an error message. NOTE: the vendor disputes the significance of this issue because the Site-wide Error Handler and Debug Output Settings sections of the ColdFusion Lockdown guide explain the requirement for settings that prevent this information disclosure.

Improper SQL ('SQL Injection')

Out-of-bounds Read

CVE-2018-12817 (v3: 7.5) 18 Jan 2019
Adobe Digital Editions versions 4.5.9 and below have an out of bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-15980 (v3: 7.5) 29 Nov 2018
Adobe Photoshop CC versions 19.1.6 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-12816 (v3: 7.5) 17 Oct 2018
Adobe Digital Editions versions 4.5.8 and below have an out of bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-12818 (v3: 7.5) 17 Oct 2018
Adobe Digital Editions versions 4.5.8 and below have an out of bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-12819 (v3: 7.5) 17 Oct 2018
Adobe Digital Editions versions 4.5.8 and below have an out of bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-12820 (v3: 7.5) 17 Oct 2018
Adobe Digital Editions versions 4.5.8 and below have an out of bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-12821 (v3: 7.5) 17 Oct 2018
Adobe Digital Editions versions 4.5.8 and below have an out of bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2017-11306 (v3: 9.8) 19 May 2018
Adobe Acrobat and Reader versions 2017.012.20098 and earlier, 2017.011.30066 and earlier, 2015.006.30355 and earlier, 11.0.22 and earlier have an exploitable out-of-bounds read vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2017-11307 (v3: 9.8) 19 May 2018
Adobe Acrobat and Reader versions 2017.012.20098 and earlier, 2017.011.30066 and earlier, 2015.006.30355 and earlier, 11.0.22 and earlier have an exploitable out-of-bounds read vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-4880 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the conversion module that reads U3D data. A successful attack can lead to sensitive data exposure.
CVE-2018-4881 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the image conversion module that reads bitmap image file (BMP) data. A successful attack can lead to sensitive data exposure.
CVE-2018-4882 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the string literal parser. A successful attack can lead to sensitive data exposure.
CVE-2018-4883 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs because of computation that reads data that is past the end of the target buffer; the computation is part of the image conversion engine that handles Enhanced Metafile Format (EMF). A successful attack can lead to sensitive data exposure.
CVE-2018-4884 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the image conversion engine when processing Enhanced Metafile Format (EMF) data that embeds an image in the bitmap (BMP) file format. A successful attack can lead to sensitive data exposure.
CVE-2018-4885 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of Enhanced Metafile Format processing engine (within the image conversion module). A successful attack can lead to sensitive data exposure.
CVE-2018-4886 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation occurs in the image conversion engine when processing Enhanced Metafile Format (EMF) data related to handling of bitmap rectangles. A successful attack can lead to sensitive data exposure.
CVE-2018-4887 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the Unicode mapping module that is invoked when processing Enhanced Metafile Format (EMF) data (during image conversion). A successful attack can lead to sensitive data exposure.
CVE-2018-4889 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the XPS image conversion. A successful attack can lead to sensitive data exposure.
CVE-2018-4891 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the XPS module that handles TIFF data. A successful attack can lead to sensitive data exposure.
CVE-2018-4893 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of XPS font processing. A successful attack can lead to sensitive data exposure.
CVE-2018-4894 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the XPS font processing. A successful attack can lead to sensitive data exposure.
CVE-2018-4896 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the image conversion module that handles Enhanced Metafile Format Plus (EMF+) data. A successful attack can lead to sensitive data exposure.
CVE-2018-4897 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the image conversion module that parses TIFF metadata. A successful attack can lead to sensitive data exposure.
CVE-2018-4899 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the initial XPS page processing. A successful attack can lead to sensitive data exposure.
CVE-2018-4900 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of JavaScript manipulation of an Annotation object. A successful attack can lead to sensitive data exposure.
CVE-2018-4903 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the TIFF processing within the XPS module. A successful attack can lead to sensitive data exposure.
CVE-2018-4905 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of TIFF processing within the XPS module. A successful attack can lead to sensitive data exposure.
CVE-2018-4906 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the image conversion module that handles Enhanced Metafile Format Plus (EMF+) data related to graphic object image attributes. A successful attack can lead to sensitive data exposure.
CVE-2018-4907 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the TIFF processing in the XPS module. A successful attack can lead to sensitive data exposure.
CVE-2018-4908 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the TTF font processing in the XPS module. A successful attack can lead to sensitive data exposure.
CVE-2018-4909 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the image conversion module when processing metadata in JPEG images. A successful attack can lead to sensitive data exposure.
CVE-2018-4912 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the image conversion module that handles JPEG 2000 data. A successful attack can lead to sensitive data exposure.
CVE-2018-4914 (v3: 6.5) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the TIFF processing in the XPS engine. A successful attack can lead to sensitive data exposure.
CVE-2017-16362 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability is an instance of an out of bounds read vulnerability in the MakeAccesible plugin, when handling font data. It causes an out of bounds memory access, which sometimes triggers an access violation exception. Attackers can exploit the vulnerability by using the out of bounds access for unintended reads, writes, or frees, potentially leading to code corruption, control-flow hijack, or an information leak attack.
CVE-2017-16363 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. The vulnerability is caused by a buffer over-read in the module that handles character codes for certain textual representations. Invalid input leads to a computation where the pointer arithmetic results in a location outside valid memory locations belonging to the buffer. An attack can be used to obtain sensitive information, such as object heap addresses, etc.
CVE-2017-16365 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. The vulnerability is caused by a buffer over-read in the True Type2 Font parsing module. A corrupted cmap table input leads to a computation where the pointer arithmetic results in a location outside valid memory locations belonging to the buffer. An attack can be used to obtain sensitive information, such as object heap addresses, etc.
CVE-2017-16370 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability occurs because of a computation that reads data that is past the end of the target buffer; the computation is a part of the JavaScript engine. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.
CVE-2017-16374 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. The vulnerability is caused by a buffer over-read in the JPEG 2000 module. An invalid JPEG 2000 input code stream leads to a computation where the pointer arithmetic results in a location outside valid memory locations belonging to the buffer. An attack can be used to obtain sensitive information, such as object heap addresses, etc.
CVE-2017-16376 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability occurs as a result of a computation that reads data that is past the end of the target buffer; the computation is a part of the MakeAccessible plugin. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.
CVE-2017-16382 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability occurs as a result of a computation that reads data that is past the end of the target buffer; the computation is part of the image conversion module. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.
CVE-2017-16384 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. The vulnerability is caused by a buffer over-read in the exif processing module for a PNG file (during XPS conversion). Invalid input leads to a computation where pointer arithmetic results in a location outside valid memory locations belonging to the buffer. An attack can be used to obtain sensitive information, such as object heap addresses, etc.
CVE-2017-16394 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability occurs as a result of a computation that reads data that is past the end of the target buffer; the computation is a part of the WebCapture module. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.
CVE-2017-16397 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability occurs as a result of a computation that reads data that is past the end of the target buffer; the computation is a part of Enhanced Metafile Format (EMF) processing within the image conversion module. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.
CVE-2017-16399 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This issue is due to an untrusted pointer dereference in the XPS parsing module. In this scenario, the input is crafted in a way that the computation results in pointers to memory locations that do not belong to the relevant process address space. The dereferencing operation is a read operation, and an attack can result in sensitive data exposure.
CVE-2017-16400 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability occurs as a result of a computation that reads data that is past the end of the target buffer; the computation is part of the JPEG 2000 parser. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.
CVE-2017-16401 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability occurs as a result of a computation that reads data that is past the end of the target buffer; the computation is part of an image conversion, specifically in Enhanced Metafile Format Plus (EMF +) processing modules. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.
CVE-2017-16402 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability occurs as a result of a computation that reads data that is past the end of the target buffer; the computation is a part of the JPEG 2000 module. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.
CVE-2017-16403 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability occurs as a result of a computation that reads data that is past the end of the target buffer; the computation is part of the image conversion module that processes Enhanced Metafile Format Plus (EMF+) data. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.
CVE-2017-16404 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. The vulnerability is caused by a computation that writes data past the end of the intended buffer; the computation is part of processing Enhanced Metafile Format Plus (EMF+). The vulnerability is a result of an out of range pointer offset that is used to access sub-elements of an internal data structure. An attacker can potentially leverage the vulnerability to corrupt sensitive data or execute arbitrary code.
CVE-2017-16405 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability occurs as a result of a computation that reads data that is past the end of the target buffer; the computation is part of Acrobat's page display functionality. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.

Cross-Site Request Forgery (CSRF)

CVE-2019-8234 (v3: 6.5) 25 Oct 2019
Adobe Experience Manager versions 6.4, 6.3 and 6.2 have a cross-site request forgery vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2019-7953 (v3: 6.5) 18 Jul 2019
Adobe Experience Manager version 6.4 and ealier have a Cross-Site Request Forgery vulnerability. Successful exploitation could lead to Sensitive Information disclosure in the context of the current user.
CVE-2016-7885 (v3: 8.8) 15 Dec 2016
Adobe Experience Manager versions 6.2 and earlier have a vulnerability that could be used in Cross-Site Request Forgery attacks.
CVE-2016-0948 (v3: 8.8) 10 Feb 2016
Cross-site request forgery (CSRF) vulnerability in Adobe Connect before 9.5.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
CVE-2014-0570 (v2: 6.8) 15 Oct 2014
Cross-site request forgery (CSRF) vulnerability in Adobe ColdFusion 9.0 before Update 13, 9.0.1 before Update 12, 9.0.2 before Update 7, 10 before Update 14, and 11 before Update 2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
CVE-2011-0629 (v2: 6.8) 16 Jun 2011
Cross-site request forgery (CSRF) vulnerability in Adobe ColdFusion 8.0, 8.0.1, 9.0, and 9.0.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Path Traversal

CVE-2019-8074 (v3: 9.8) 27 Sep 2019
ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 and earlier have a Path Traversal vulnerability. Successful exploitation could lead to Access Control Bypass in the context of the current user.

Improper Access Control

CVE-2015-5090 (v2: 7.5) 15 Jul 2015
Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, Acrobat and Acrobat Reader DC Classic before 2015.006.30060, and Acrobat and Acrobat Reader DC Continuous before 2015.008.20082 on Windows and OS X allow attackers to bypass intended access restrictions and perform a transition from Low Integrity to Medium Integrity via unspecified vectors, a different vulnerability than CVE-2015-4446 and CVE-2015-5106.

Use After Free

CVE-2018-12822 (v3: 9.8) 17 Oct 2018
Adobe Digital Editions versions 4.5.8 and below have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2018-4888 (v3: 8.8) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability is an instance of a use after free vulnerability. The vulnerability is triggered by a crafted PDF file that can cause a memory access violation exception in the XFA engine because of a dangling reference left as a consequence of freeing an object in the computation that manipulates internal nodes in a graph representation of a document object model used in XFA. Successful exploitation could lead to arbitrary code execution.
CVE-2018-4892 (v3: 8.8) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability is an instance of a use after free vulnerability in the JBIG2 decoder. The vulnerability is triggered by a crafted PDF file that contains a malformed JBIG2 stream. Successful exploitation could lead to arbitrary code execution.
CVE-2018-4902 (v3: 8.8) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability is an instance of a use after free vulnerability in the rendering engine. The vulnerability is triggered by a crafted PDF file containing a video annotation (and corresponding media files) that is activated by the embedded JavaScript. Successful exploitation could lead to arbitrary code execution.
CVE-2018-4911 (v3: 8.8) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability is an instance of a use after free vulnerability in the JavaScript API related to bookmark functionality. The vulnerability is triggered by crafted JavaScript code embedded within a PDF file. A successful attack can lead to code corruption, control-flow hijack, or a code re-use attack.
CVE-2018-4913 (v3: 8.8) 27 Feb 2018
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability is an instance of a use after free vulnerability in the XFA engine, related to DOM manipulation. The vulnerability is triggered by crafted XFA script definitions in a PDF file. Successful exploitation could lead to arbitrary code execution.
CVE-2017-16360 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability is an instance of a use after free vulnerability in the MakeAccessible plugin, when creating an internal data structure. The mismatch between an old and a new object can provide an attacker with unintended memory access -- potentially leading to code corruption, control-flow hijack, or an information leak attack. Successful exploitation could lead to arbitrary code execution.
CVE-2017-16388 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability is an instance of a use after free vulnerability in the JavaScript API engine. The mismatch between an old and a new object can provide an attacker with unintended memory access -- potentially leading to code corruption, control-flow hijack, or an information leak attack. Successful exploitation could lead to arbitrary code execution.
CVE-2017-16389 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability is an instance of a use after free vulnerability in the JavaScript engine. The mismatch between an old and a new object can provide an attacker with unintended memory access. Successful exploitation could lead to arbitrary code execution.
CVE-2017-16390 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability is an instance of a use after free vulnerability in the JavaScript engine API. The mismatch between an old and a new object can provide an attacker with unintended memory access -- potentially leading to code corruption, control-flow hijack, or an information leak attack. Successful exploitation could lead to arbitrary code execution.
CVE-2017-16393 (v3: 8.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability is an instance of a use after free vulnerability in the JavaScript engine. The mismatch between an old and a new object can provide an attacker with unintended memory access -- potentially leading to code corruption, control-flow hijack, or an information leak attack. Successful exploitation could lead to arbitrary code execution.
CVE-2017-16398 (v3: 9.8) 9 Dec 2017
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability is an instance of a use after free vulnerability in the JavaScript engine. The mismatch between an old and a new object can provide an attacker with unintended memory access -- potentially leading to code corruption, control-flow hijack, or an information leak attack. Successful exploitation could lead to arbitrary code execution.
CVE-2017-11304 (v3: 9.8) 9 Dec 2017
An issue was discovered in Adobe Photoshop 18.1.1 (2017.1.1) and earlier versions. An exploitable use-after-free vulnerability exists. Successful exploitation could lead to arbitrary code execution.
CVE-2017-11274 (v3: 9.8) 11 Aug 2017
Adobe Digital Editions 4.5.4 and earlier has an exploitable use after free vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2017-11279 (v3: 7.5) 11 Aug 2017
Adobe Digital Editions 4.5.4 and earlier has an exploitable use after free vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2017-3083 (v3: 9.8) 20 Jun 2017
Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable use after free vulnerability in the Primetime SDK functionality related to the profile metadata of the media stream. Successful exploitation could lead to arbitrary code execution.
CVE-2017-3084 (v3: 9.8) 20 Jun 2017
Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable use after free vulnerability in the advertising metadata functionality. Successful exploitation could lead to arbitrary code execution.
CVE-2016-6980 (v3: 9.8) 26 Sep 2016
Use-after-free vulnerability in Adobe Digital Editions before 4.5.2 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4263.
CVE-2016-4263 (v3: 9.8) 16 Sep 2016
Use-after-free vulnerability in Adobe Digital Editions before 4.5.2 allows attackers to execute arbitrary code via unspecified vectors.