⚡ TL;DR | Go Straight to the Adobe Security Update Report
Adobe has released its September Security Update addressing 63 vulnerabilities across 7 products. All of these vulnerabilities received a CVSS base score between 5.3 and 7.8, with 35 of them being critical. Exploitation could lead to a number of problems like arbitrary code execution, security feature bypass, arbitrary file system read, and memory leak. For your organization, this could result in the loss or even theft of business-critical or sensitive files and data, disruptions in business operations, and application failures.
As the vulnerabilities affect several different Adobe products and versions, you can find lists of the affected versions per product below.
Affected Software and Versions
Adobe Experience Manager
In Adobe Experience Manager 11 vulnerabilities were fixed, though none of them are critical. For the updates, detailed instructions can be found on Adobe’s bulletin-(APSB22-40). If you are running on Adobe Experience Manager’s Cloud Service, you will automatically receive updates that include new features as well as security and functionality bug fixes.
| Product | Affected Version | Updated version | Availability |
| Adobe Experience Manager (AEM) | AEM Cloud Service (CS) | AEM Cloud Service (CS) | Release Notes |
| 6.5.13.0 and earlier versions | 6.5.14.0 | AEM 6.5 Service Pack Release Notes |
Adobe Bridge
Another 12 vulnerabilities were patched in Adobe Bridge (APSB22-49) for Windows and macOS, 10 of them critical. Adobe recommends that you update your installation to the newest version via the Creative Cloud desktop app’s update mechanism. Detailed instructions are available on the help page.
| Product | Affected Version | Updated version | Availability |
| Adobe Bridge | 12.0.2 and earlier versions | 12.0.3 | Download Page |
| 11.1.3 and earlier versions | 11.1.4 | Download Page |
Adobe InDesign
In Adobe InDesign (APSB22-50) for Windows and macOS, 18 vulnerabilities were fixed, including 8 critical ones. Adobe recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism. You can find more information on their help page.
| Product | Affected version | Updated Version |
| Adobe InDesign | 17.3 and earlier versions | 17.4 |
| 16.4.2 and earlier versions | 16.4.3 |
Adobe Photoshop
In Adobe Photoshop 2021 and 2022 (APSB22-52) for Windows and macOS, 10 vulnerabilities have been patched, 9 of which were critical. Adobe recommends that you update your installation to the newest version via the Creative Cloud desktop app’s update mechanism. You can find more information on the help page.
| Product | Affected version | Updated Version |
| Photoshop 2021 | 22.5.8 and earlier versions | 22.5.9 |
| Photoshop 2022 | 23.4.2 and earlier versions | 23.5 |
Adobe InCopy
7 vulnerabilities were fixed in Adobe InCopy (APSB22-53) for Windows and macOS, 5 of which are critical. You are advised to update your software installations via the Creative Cloud desktop app updater, or by navigating to the InCopy Help menu and clicking „Updates.“ More information can be found on the help page.
| Product | Affected version | Updated Version |
| Adobe InCopy | 17.3 and earlier version | 17.4 |
| 16.4.2 and earlier version | 16.4.3 |
Adobe Animate
In Adobe Animate 2021 and 2022 (APSB22-54) 2 critical vulnerabilities were patched that could lead to arbitrary code execution in the context of the current user. Adobe recommends that you update your installation using the Creative Cloud desktop app’s updater. You can find more details on the help page.
| Product | Affected version | Updated Version | Availability |
| Adobe Animate 2021 | 21.0.11 and earlier versions | 21.0.12 | Download Center |
| Adobe Animate 2022 | 22.0.7 and earlier versions | 22.0.8 | Download Center |
Adobe Illustrator
Finally, 3 more vulnerabilities were patched in Adobe Illustrator 2021 and 2022 (APSB22-55), 1 of them critical. These can also be updated via the Creative Cloud desktop app’s update mechanism. For more information, you can check the help page.
| Product | Affected version | Updated Version | Availability |
| Illustrator 2022 | 26.4 and earlier versions | 26.5 | Download Page |
| Illustrator 2021 | 25.4.7 and earlier versions | 25.4.8 | Download Page |
Discover Vulnerable Devices
You can use Lansweeper to discover any installs of vulnerable Adobe products and versions in your network. This way you have an actionable list of devices and software that might require a patch. Based on this list of affected products and versions shared by Adobe, we have created a special Lansweeper report that will provide a list of all installations in your environment that could be affected by these vulnerabilities.
Adobe September 2022 CVE Codes & Categories
| CVE numbers | Vulnerability Category | CVSS base score |
| CVE-2022-30677 | Cross-site Scripting (XSS) (CWE-79) | 5.4 |
| CVE-2022-30678 | Cross-site Scripting (XSS) (CWE-79) | 5.4 |
| CVE-2022-30680 | Cross-site Scripting (XSS) (CWE-79) | 5.4 |
| CVE-2022-30681 | Cross-site Scripting (Stored XSS) (CWE-79) | 5.4 |
| CVE-2022-30682 | Cross-site Scripting (Stored XSS) (CWE-79) | 6.4 |
| CVE-2022-30683 | Violation of Secure Design Principles (CWE-657) | 5.3 |
| CVE-2022-30684 | Cross-site Scripting (Reflected XSS) (CWE-79) | 5.4 |
| CVE-2022-30685 | Cross-site Scripting (Reflected XSS) (CWE-79) | 5.4 |
| CVE-2022-30686 | Cross-site Scripting (Reflected XSS) (CWE-79) | 5.4 |
| CVE-2022-35664 | Cross-site Scripting (Reflected XSS) (CWE-79) | 5.4 |
| CVE-2022-34218 | Cross-site Scripting (Reflected XSS) (CWE-79) | 5.4 |
| CVE-2022-35699 | Out-of-bounds Write (CWE-787) | 7.8 |
| CVE-2022-35700 | Out-of-bounds Write (CWE-787) | 7.8 |
| CVE-2022-35701 | Out-of-bounds Write (CWE-787) | 7.8 |
| CVE-2022-35702 | Out-of-bounds Read (CWE-125) | 7.8 |
| CVE-2022-35703 | Out-of-bounds Read (CWE-125) | 7.8 |
| CVE-2022-35704 | Use After Free (CWE-416) | 7.8 |
| CVE-2022-35705 | Out-of-bounds Read (CWE-125) | 7.8 |
| CVE-2022-35706 | Heap-based Buffer Overflow (CWE-122) | 7.8 |
| CVE-2022-35707 | Out-of-bounds Read (CWE-125) | 7.8 |
| CVE-2022-35708 | Heap-based Buffer Overflow (CWE-122) | 7.8 |
| CVE-2022-35709 | Use After Free (CWE-416) | 5.5 |
| CVE-2022-38425 | Use After Free (CWE-416) | 5.5 |
| CVE-2022-28851 (This CVE is only available in the latest version, ID 17.4) | Improper Input Validation (CWE-20) | 7.5 |
| CVE-2022-28852 | Out-of-bounds Write (CWE-787) | 7.8 |
| CVE-2022-28853 | Out-of-bounds Write (CWE-787) | 7.8 |
| CVE-2022-28854 | Out-of-bounds Read (CWE-125) | 5.5 |
| CVE-2022-28855 | Out-of-bounds Read (CWE-125) | 5.5 |
| CVE-2022-28856 | Out-of-bounds Read (CWE-125) | 5.5 |
| CVE-2022-28857 | Out-of-bounds Read (CWE-125) | 5.5 |
| CVE-2022-30671 | Out-of-bounds Read (CWE-125) | 5.5 |
| CVE-2022-30672 | Out-of-bounds Read (CWE-125) | 5.5 |
| CVE-2022-30673 | Out-of-bounds Read (CWE-125) | 5.5 |
| CVE-2022-30674 | Out-of-bounds Read (CWE-125) | 5.5 |
| CVE-2022-30675 | Out-of-bounds Read (CWE-125) | 5.5 |
| CVE-2022-30676 | Out-of-bounds Read (CWE-125) | 5.5 |
| CVE-2022-38413 | Heap-based Buffer Overflow (CWE-122) | 7.8 |
| CVE-2022-38414 | Heap-based Buffer Overflow (CWE-122) | 7.8 |
| CVE-2022-38415 | Heap-based Buffer Overflow (CWE-122) | 7.8 |
| CVE-2022-38416 | Out-of-bounds Read (CWE-125) | 7.8 |
| CVE-2022-38417 | Out-of-bounds Read (CWE-125) | 7.8 |
| CVE-2022-35713 | Out-of-bounds Write (CWE-787) | 7.8 |
| CVE-2022-38426 | Access of Uninitialized Pointer (CWE-824) | 7.8 |
| CVE-2022-38427 | Access of Uninitialized Pointer (CWE-824) | 7.8 |
| CVE-2022-38428 | Use After Free (CWE-416) | 5.5 |
| CVE-2022-38429 | Out-of-bounds Read (CWE-125) | 7.8 |
| CVE-2022-38430 | Out-of-bounds Read (CWE-125) | 7.8 |
| CVE-2022-38431 | Out-of-bounds Read (CWE-125) | 7.8 |
| CVE-2022-38432 | Heap-based Buffer Overflow (CWE-122) | 7.8 |
| CVE-2022-38433 | Heap-based Buffer Overflow (CWE-122) | 7.8 |
| CVE-2022-38434 | Use After Free (CWE-416) | 7.8 |
| CVE-2022-38401 | Heap-based Buffer Overflow (CWE-122) | 7.8 |
| CVE-2022-38402 | Out-of-bounds Read (CWE-125) | 7.8 |
| CVE-2022-38403 | Out-of-bounds Read (CWE-125) | 7.8 |
| CVE-2022-38404 | Heap-based Buffer Overflow (CWE-122) | 7.8 |
| CVE-2022-38405 | Heap-based Buffer Overflow (CWE-122) | 7.8 |
| CVE-2022-38406 | Out-of-bounds Read (CWE-125) | 5.5 |
| CVE-2022-38407 | Out-of-bounds Read (CWE-125) | 5.5 |
| CVE-2022-38411 | Heap-based Buffer Overflow (CWE-122) | 7.8 |
| CVE-2022-38412 | Out-of-bounds Read (CWE-125) | 7.8 |
| CVE-2022-38408 | Improper Input Validation (CWE-20) | 7.8 |
| CVE-2022-38409 | Out-of-bounds Read (CWE-125) | 5.5 |
| CVE-2022-38410 | Out-of-bounds Read (CWE-125) | 5.5 |