Adobe on internal systems bug: It’s not critical
Adobe has played down the significance of an admitted vulnerability in its internal systems.
Bug hunters at Vulnerability Laboratory claimed they had discovered a code execution weakness in the Adobe Systems’ main lead database management system, which was only resolved on Saturday. Flaws that lead on to remote code execution are almost invariably rated critical.
In response to queries from El Reg on the matter, Adobe claimed the flaw was a far less severe class of vulnerability.
“This was a cross-site scripting bug in a form used for event marketing registration,” an Adobe spokeswoman told El Reg. “We have since implemented a fix.”
Vulnerability Laboratory has disputed Adobe’s take and stands by its own on the severity of the flaw, which, if it is correct, would rate a score of 6.4 under the Common Vulnerability Scoring System.
“At the beginning the engineers thought this [was] only affecting the marketing system by XSS [cross-site scripting] but [ultimately] it was not,” Vulnerability Laboratory’s Benjamin Kunz Mejri told El Reg. “[Many] domains [were] affected; the email service was affected; parts of the backend w[h]ere the data was processed [were affected]. The [scheme showing how it works] was delivered at the end to ensure that Adobe understands the impact of the attack.”
Mejri added: “An arbitrary code inject, results for sure – at several parts in their infrastructure – in a code execution.” He told The Reg that in its demos, the Vulnerability Lab team would of course never attempt to fully hack the Adobe domains and servers but believed it would be possible to do so.
![Adobe internal systems vulnerability [source: Vulnerability Laboratory]](https://regmedia.co.uk/2018/07/19/adobe_internal_systems_bug.png "Adobe internal systems vulnerability")
Adobe internal systems vulnerability, attack workflow [source: Vulnerability Laboratory]
Vulnerability Lab first notified Adobe about the issue in February and has been working with the vendor in the five months since. Adobe resolved the flaw on Saturday, 14 July, allowing Vulnerability Lab to finally go public with its discovery on Thursday. ®
Sponsored:
Minds Mastering Machines – Call for papers now open
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/19/adobe_internal_systems_bug/