CVE-2024-49535

Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that allows an attacker to provide malicious XML input containing a reference to an external entity, potentially leading to unauthorized read access outside the Acrobat sandbox. Exploitation of this issue requires user interaction in that a victim must process a malicious XML document.

CVSS v3 6.3 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 4.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://helpx.adobe.com/security/products/acrobat/apsb24-92.html	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:adobe:acrobat:::::classic:::*
	cpe:2.3:a:adobe:acrobat:::::classic:::*
	cpe:2.3:a:adobe:acrobat_dc:::::continuous:::*
	cpe:2.3:a:adobe:acrobat_reader:::::classic:::*
	cpe:2.3:a:adobe:acrobat_reader_dc:::::continuous:::*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

History

No history.

Information

Published : 2024-12-10 20:15

Updated : 2025-01-23 18:36

NVD link : CVE-2024-49535

Mitre link : CVE-2024-49535

CVE.ORG link : CVE-2024-49535

JSON object : View

Products Affected

adobe

acrobat_reader
acrobat_reader_dc
acrobat
acrobat_dc

microsoft

windows

apple

macos

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2024-49535", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 1.8}]}, "published": "2024-12-10T20:15:18.923", "references": [{"url": "https://helpx.adobe.com/security/products/acrobat/apsb24-92.html", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that allows an attacker to provide malicious XML input containing a reference to an external entity, potentially leading to unauthorized read access outside the Acrobat sandbox. Exploitation of this issue requires user interaction in that a victim must process a malicious XML document."}, {"lang": "es", "value": "Las versiones 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 y anteriores de Acrobat Reader se ven afectadas por una vulnerabilidad de restricci\u00f3n incorrecta de referencia de entidad externa XML ('XXE') que podr\u00eda provocar la ejecuci\u00f3n de c\u00f3digo arbitrario. Esta vulnerabilidad permite a un atacante proporcionar una entrada XML maliciosa que contenga una referencia a una entidad externa, lo que puede provocar la divulgaci\u00f3n de datos o la posible ejecuci\u00f3n de c\u00f3digo. Para aprovechar este problema es necesaria la interacci\u00f3n del usuario, ya que la v\u00edctima debe procesar un documento XML malicioso."}], "lastModified": "2025-01-23T18:36:07.750", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:adobe:acrobat:*:*:*:*:classic:*:*:*", "vulnerable": true, "matchCriteriaId": "8629BF4A-1E7E-4EBB-8175-DABB9241A689", "versionEndExcluding": "20.005.30748", "versionStartIncluding": "20.001.30002"}, {"criteria": "cpe:2.3:a:adobe:acrobat:*:*:*:*:classic:*:*:*", "vulnerable": true, "matchCriteriaId": "62086AC3-1580-4DC5-93E2-04C7A6F06C45", "versionEndExcluding": "24.001.30225", "versionStartIncluding": "24.0.0"}, {"criteria": "cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:continuous:*:*:*", "vulnerable": true, "matchCriteriaId": "8064F314-801F-4BEC-9EE2-120733E8B206", "versionEndExcluding": "24.005.20320"}, {"criteria": "cpe:2.3:a:adobe:acrobat_reader:*:*:*:*:classic:*:*:*", "vulnerable": true, "matchCriteriaId": "89E5AB91-6C0C-47AD-97F1-D5FC4AAEB5DC", "versionEndExcluding": "20.005.30748", "versionStartIncluding": "20.001.30002"}, {"criteria": "cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:continuous:*:*:*", "vulnerable": true, "matchCriteriaId": "BBF2907B-0265-4E40-BB1B-772CCF3E67FA", "versionEndExcluding": "24.005.20320"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "[email protected]"}