CVE-2024-49535: Acrobat Reader | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)
First published: Tue Dec 10 2024(Updated: )
Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that allows an attacker to provide malicious XML input containing a reference to an external entity, potentially leading to unauthorized read access outside the Acrobat sandbox. Exploitation of this issue requires user interaction in that a victim must process a malicious XML document.
Credit: psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| Any of | ||
| Adobe Acrobat Reader | >=20.001.30002<20.005.30748 | |
| Adobe Acrobat Reader | >=24.0.0<24.001.30225 | |
| Adobe Acrobat | <24.005.20320 | |
| Adobe Acrobat Reader | >=20.001.30002<20.005.30748 | |
| Adobe Acrobat Reader | <24.005.20320 | |
| Any of | ||
| Apple iOS and macOS | ||
| Microsoft Windows |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-49535?
CVE-2024-49535 is classified as a high severity vulnerability due to its potential exploitation via malicious XML input.
How do I fix CVE-2024-49535?
To fix CVE-2024-49535, update Adobe Acrobat Reader or Adobe Acrobat DC to the latest version that is not affected by this vulnerability.
Which versions are affected by CVE-2024-49535?
CVE-2024-49535 affects Adobe Acrobat Reader versions prior to 20.005.30748 and 24.001.30225, as well as Adobe Acrobat DC versions before 24.005.20320.
What is an XML External Entity Reference ('XXE') vulnerability as seen in CVE-2024-49535?
An XML External Entity Reference ('XXE') vulnerability allows attackers to exploit vulnerable applications by providing harmful XML input that can access internal files or services.
Can CVE-2024-49535 impact both Windows and macOS users?
CVE-2024-49535 specifically affects Adobe Acrobat products and is not related to vulnerabilities in the underlying operating systems like Windows and macOS.
- agent/title
- agent/references
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/author
- agent/event
- agent/severity
- agent/source
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/description
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/adobe
- canonical/adobe acrobat reader
- version/adobe acrobat reader/20.001.30002
- version/adobe acrobat reader/24.0.0
- canonical/adobe acrobat
- vendor/apple
- canonical/apple ios and macos
- vendor/microsoft
- canonical/microsoft windows