Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
The vulnerability consists of improper authorization verification (Incorrect Authorization) in Adobe Campaign Classic. An unauthenticated attacker operating over the network can, without any additional prerequisites and without user interaction, send a specially crafted request that leads to execution of arbitrary code in the context of the current application user. Since the scope is changed (Scope: Changed), the impact may extend beyond the directly attacked system component.
An attacker can execute arbitrary code on the server with Adobe Campaign Classic process privileges, which in practice means full control over the system, theft of marketing campaign data and personal data of customers, and potential lateral movement in the network environment.
Apply patches available from the vendor immediately in accordance with the official Adobe security bulletin: https://helpx.adobe.com/security/products/campaign/apsb26-66.html. Until the update is applied, it is recommended to restrict network access to the ACC instance to trusted IP addresses only and monitor logs for unexpected requests.
Adobe Campaign Classic (ACC) version 7.4.3 build 9394 and all earlier versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HAdobe Campaign
APPAdobe7.4.3< 7.4.3Linux Kernel
OSLinuxwszystkie wersjeMicrosoft Windows
OSMicrosoftwszystkie wersje
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit