CVE-2024-49535

CWE-611XML External Entity (XXE)3 documents3 sources
Severity
6.3MEDIUM
EPSS
0.1%
top 77.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Adobe AcrobatAdobe Acrobat DCAdobe Acrobat Reader+1 more
Timeline
PublishedDec 10

Description

Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that allows an attacker to provide malicious XML input containing a reference to an external entity, potentially leading to unauthorized read access outside the Acrobat sandbox. Exploitation of this issue requires user interaction in that a victim must process a malicious XML document.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:NExploitability: 1.8 | Impact: 4.0

Affected Packages5 packages

NVDadobe/acrobat_reader20.001.3000220.005.30748
NVDadobe/acrobat_reader_dc< 24.005.20320
CVEListV5adobe/acrobat_reader20.005.30710
NVDadobe/acrobat20.001.3000220.005.30748+1
NVDadobe/acrobat_dc< 24.005.20320

🔴Vulnerability Details

2
GHSA
GHSA-g3j3-j629-pw89: Acrobat Reader versions 242024-12-10
CVEList
Acrobat Reader | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)2024-12-10
CVE-2024-49535 (MEDIUM CVSS 6.3) | Acrobat Reader versions 24.005.2030 | cvebase.io