| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-28820 |
79 |
|
XSS |
2022-04-21 |
2022-05-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
ACS Commons version 5.1.x (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in /apps/acs-commons/content/page-compare.html endpoint via the a and b GET parameters. User input submitted via these parameters is not validated or sanitised. An attacker must provide a link to someone with access to AEM Author, and could potentially exploit this vulnerability to inject malicious JavaScript content into vulnerable form fields and execute it within the context of the victim's browser. The exploitation of this issue requires user interaction in order to be successful. |
|
2 |
CVE-2022-23203 |
120 |
|
Exec Code Overflow |
2022-02-16 |
2022-02-24 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Adobe Photoshop versions 22.5.4 (and earlier) and 23.1 (and earlier) are affected by a buffer overflow vulnerability due to insecure handling of a crafted file, potentially resulting in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted file in Photoshop. |
|
3 |
CVE-2022-23202 |
427 |
|
Exec Code |
2022-02-16 |
2022-02-24 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Adobe Creative Cloud Desktop version 2.7.0.13 (and earlier) is affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must download a malicious DLL file. The attacker has to deliver the DLL on the same folder as the installer which makes it as a high complexity attack vector. |
|
4 |
CVE-2021-44178 |
79 |
|
XSS |
2022-01-13 |
2022-01-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by a reflected Cross-Site Scripting (XSS) vulnerability via the itemResourceType parameter. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser |
|
5 |
CVE-2021-44177 |
79 |
|
XSS |
2022-01-13 |
2022-01-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. |
|
6 |
CVE-2021-44176 |
79 |
|
XSS |
2022-01-13 |
2022-01-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. |
|
7 |
CVE-2021-43765 |
79 |
|
XSS |
2022-01-13 |
2022-01-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. |
|
8 |
CVE-2021-43764 |
79 |
|
XSS |
2022-01-13 |
2022-01-14 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. |
|
9 |
CVE-2021-43762 |
20 |
|
Bypass |
2022-01-13 |
2022-01-19 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by a dispatcher bypass vulnerability that could be abused to evade security controls. Sensitive areas of the web application may be exposed through exploitation of the vulnerability. |
|
10 |
CVE-2021-43761 |
79 |
|
XSS |
2022-01-13 |
2022-01-19 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
AEM's Cloud Service offering, as well as versions 6.5.7.0 (and below), 6.4.8.3 (and below) and 6.3.3.8 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. |
|
11 |
CVE-2021-42725 |
788 |
|
Exec Code Mem. Corr. |
2021-11-16 |
2022-03-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Adobe Bridge version 11.1.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious M4A file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. |
|
12 |
CVE-2021-42722 |
125 |
|
Exec Code |
2022-03-16 |
2022-03-22 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Adobe Bridge version 11.1.1 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
|
13 |
CVE-2021-42720 |
125 |
|
Exec Code |
2022-03-16 |
2022-03-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Adobe Bridge version 11.1.1 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
|
14 |
CVE-2021-42719 |
125 |
|
Exec Code |
2022-03-16 |
2022-03-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Adobe Bridge version 11.1.1 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted .jpe file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
|
15 |
CVE-2021-42533 |
415 |
|
Exec Code |
2022-03-16 |
2022-03-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Adobe Bridge version 11.1.1 (and earlier) is affected by a double free vulnerability when parsing a crafted DCM file, which could result in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit. |
|
16 |
CVE-2021-42528 |
476 |
|
|
2022-05-02 |
2022-05-11 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
XMP Toolkit 2021.07 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
|
17 |
CVE-2021-42268 |
476 |
|
|
2021-11-18 |
2021-11-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Adobe Animate version 21.0.9 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted FLA file. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
|
18 |
CVE-2021-40732 |
476 |
|
DoS |
2021-10-13 |
2022-02-04 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
XMP Toolkit version 2020.1 (and earlier) is affected by a null pointer dereference vulnerability that could result in leaking data from certain memory locations and causing a local denial of service in the context of the current user. User interaction is required to exploit this vulnerability in that the victim will need to open a specially crafted MXF file. |
|
19 |
CVE-2021-40722 |
611 |
|
|
2022-01-13 |
2022-01-19 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be abused by an attacker to achieve RCE. |
|
20 |
CVE-2021-40721 |
79 |
|
XSS |
2021-10-15 |
2022-02-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Adobe Connect version 11.2.3 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. |
|
21 |
CVE-2021-40719 |
502 |
|
Exec Code |
2021-10-21 |
2021-11-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Adobe Connect version 11.2.3 (and earlier) is affected by a Deserialization of Untrusted Data vulnerability to achieve arbitrary method invocation when AMF messages are deserialized on an Adobe Connect server. An attacker can leverage this to execute remote code execution on the server. |
|
22 |
CVE-2021-40716 |
125 |
|
Bypass |
2021-09-29 |
2021-10-07 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
XMP Toolkit SDK versions 2021.07 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
|
23 |
CVE-2021-40714 |
79 |
|
XSS |
2021-09-27 |
2022-02-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Adobe Experience Manager version 6.5.9.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the accesskey parameter. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser |
|
24 |
CVE-2021-40713 |
295 |
|
|
2021-09-27 |
2021-10-01 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Adobe Experience Manager version 6.5.9.0 (and earlier) is affected by a improper certificate validation vulnerability in the cold storage component. If an attacker can achieve a man in the middle when the cold server establishes a new certificate, they would be able to harvest sensitive information. |
|
25 |
CVE-2021-40712 |
20 |
|
DoS |
2021-09-27 |
2021-10-01 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
Adobe Experience Manager version 6.5.9.0 (and earlier) is affected by a improper input validation vulnerability via the path parameter. An authenticated attacker can send a malformed POST request to achieve server-side denial of service. |
|
26 |
CVE-2021-40711 |
79 |
|
Exec Code XSS |
2021-09-27 |
2022-02-04 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Adobe Experience Manager version 6.5.9.0 (and earlier) is affected by a stored XSS vulnerability when creating Content Fragments. An authenticated attacker can send a malformed POST request to achieve arbitrary code execution. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. |
|
27 |
CVE-2021-40697 |
125 |
|
Bypass |
2021-09-29 |
2021-10-04 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Adobe Framemaker versions 2019 Update 8 (and earlier) and 2020 Release Update 2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
|
28 |
CVE-2021-39865 |
125 |
|
Bypass |
2021-09-29 |
2022-03-31 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Adobe Framemaker versions 2019 Update 8 (and earlier) and 2020 Release Update 2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
|
29 |
CVE-2021-39864 |
352 |
|
CSRF |
2021-10-15 |
2021-10-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to customer cart by an unauthenticated attacker. Access to the admin console is not required for successful exploitation. |
|
30 |
CVE-2021-39862 |
125 |
|
Bypass |
2021-09-29 |
2021-10-04 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Adobe Framemaker versions 2019 Update 8 (and earlier) and 2020 Release Update 2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
|
31 |
CVE-2021-39825 |
787 |
|
Exec Code |
2021-09-27 |
2021-10-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Photoshop Elements versions 2021 build 19.0 (20210304.m.156367) (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious TTF file. |
|
32 |
CVE-2021-39819 |
119 |
|
Exec Code Overflow Mem. Corr. |
2021-09-27 |
2022-04-25 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Adobe InCopy version 11.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious XML file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. |
|
33 |
CVE-2021-39818 |
119 |
|
Exec Code Overflow Mem. Corr. |
2021-09-27 |
2022-04-25 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Adobe InCopy version 11.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious TIFF file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. |
|
34 |
CVE-2021-36063 |
79 |
|
XSS |
2021-09-01 |
2021-09-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Adobe Connect version 11.2.2 (and earlier) is affected by a Reflected Cross-site Scripting vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. |
|
35 |
CVE-2021-36062 |
79 |
|
XSS |
2021-09-01 |
2021-09-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Adobe Connect version 11.2.2 (and earlier) is affected by a Reflected Cross-site Scripting vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. |
|
36 |
CVE-2021-36061 |
657 |
|
|
2021-09-01 |
2021-09-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Adobe Connect version 11.2.2 (and earlier) is affected by a secure design principles violation vulnerability via the 'pbMode' parameter. An unauthenticated attacker could leverage this vulnerability to edit or delete recordings on the Connect environment. Exploitation of this issue requires user interaction in that a victim must publish a link of a Connect recording. |
|
37 |
CVE-2021-36058 |
190 |
|
DoS Overflow |
2021-09-01 |
2021-10-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
XMP Toolkit SDK version 2020.1 (and earlier) is affected by an Integer Overflow vulnerability potentially resulting in application-level denial of service in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted file. |
|
38 |
CVE-2021-36057 |
123 |
|
DoS |
2021-09-01 |
2021-10-27 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
XMP Toolkit SDK version 2020.1 (and earlier) is affected by a write-what-where condition vulnerability caused during the application's memory allocation process. This may cause the memory management functions to become mismatched resulting in local application denial of service in the context of the current user. |
|
39 |
CVE-2021-36054 |
122 |
|
DoS Overflow |
2021-09-01 |
2021-10-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
XMP Toolkit SDK version 2020.1 (and earlier) is affected by a buffer overflow vulnerability potentially resulting in local application denial of service in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted file. |
|
40 |
CVE-2021-36053 |
125 |
|
Bypass |
2021-09-01 |
2021-10-27 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
XMP Toolkit SDK versions 2020.1 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of arbitrary memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
|
41 |
CVE-2021-36052 |
788 |
|
Exec Code Mem. Corr. |
2021-09-01 |
2021-10-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
XMP Toolkit version 2020.1 (and earlier) is affected by a memory corruption vulnerability, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. |
|
42 |
CVE-2021-36051 |
120 |
|
Exec Code Overflow |
2021-10-04 |
2021-10-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
XMP Toolkit SDK version 2020.1 (and earlier) is affected by a buffer overflow vulnerability potentially resulting in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a specially-crafted .cpp file. |
|
43 |
CVE-2021-36045 |
125 |
|
Bypass |
2021-09-01 |
2021-10-27 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
XMP Toolkit SDK versions 2020.1 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of arbitrary memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
|
44 |
CVE-2021-36044 |
20 |
|
|
2021-09-01 |
2021-09-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An unauthenticated attacker could abuse this vulnerability to cause a server-side denial-of-service using a GraphQL field. |
|
45 |
CVE-2021-36043 |
918 |
|
Exec Code |
2021-09-01 |
2021-09-08 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a blind SSRF vulnerability in the bundled dotmailer extension. An attacker with admin privileges could abuse this to achieve remote code execution should Redis be enabled. |
|
46 |
CVE-2021-36042 |
20 |
|
Exec Code |
2021-09-01 |
2021-09-08 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can result in remote code execution. |
|
47 |
CVE-2021-36041 |
20 |
|
Exec Code |
2021-09-01 |
2021-09-08 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could upload a specially crafted file in the 'pub/media` directory could lead to remote code execution. |
|
48 |
CVE-2021-36040 |
20 |
|
Exec Code Bypass |
2021-09-01 |
2021-09-08 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to bypass file extension restrictions and could lead to remote code execution. |
|
49 |
CVE-2021-36039 |
863 |
|
|
2021-09-01 |
2021-09-08 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability via the `quoteId` parameter. An attacker can abuse this vulnerability to disclose sensitive information. |
|
50 |
CVE-2021-36038 |
20 |
|
|
2021-09-01 |
2021-09-08 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the Multishipping Module. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure. |
