Adobe has patched a potentially serious security issue in its internal systems.Security research firm Vulnerability Lab claim to have discovered that code submitted through some of Adobe’s event marketing registration forms,which ultimately made its way to one of the company’s main databases, from where it propagated to emails and web services.
The issue was a cross-site scripting (XSS) bug in a form used for event marketing registration and said a fix had been implemented. If Adobe’s classification of the flaw is accurate, it was likely a persistent XSS.
According to Vulnerability Lab the issue was analyzed between November 2017 and February 2018. The company claims it took until May for Adobe to identify the cause of the problem, with a patch being implemented in mid-June.There were multiple domains where malicious code could have been inserted and there were multiple places where the code would be executed.
“The code was injected to a micro service, from there it was taken to the main application management service. Then it was synced into the main lead database of Adobe and we had several domains where we were able to place our codes with executable content,” explained Benjamin Kunz Mejri, CEO and founder of Vulnerability Lab.
The exploit code was delivered via emails sent out by Adobe and on some of the company’s domains, Kunz Mejri said.