CVE-2024-49535

CVE Database · CVE-2024-49535

CVE-2024-49535

· MEDIUMAnalyzed

CVSS v3.1

6.3

EPSS

0.40%

Published

Dec 10, 2024

Modified

Jan 23, 2025

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that allows an attacker to provide malicious XML input containing a reference to an external entity, potentially leading to unauthorized read access outside the Acrobat sandbox. Exploitation of this issue requires user interaction in that a victim must process a malicious XML document.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Weaknesses (CWE)

CWE-611

Affected Products (7)

adobe · acrobat (up to 20.005.30748)vulnerable

adobe · acrobat (up to 24.001.30225)vulnerable

adobe · acrobat_dc (up to 24.005.20320)vulnerable

adobe · acrobat_reader (up to 20.005.30748)vulnerable

adobe · acrobat_reader_dc (up to 24.005.20320)vulnerable

apple · macos

microsoft · windows

References (1)

https://helpx.adobe.com/security/products/acrobat/apsb24-92.html

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs