Adobe on internal systems security hole: Panic not. It isn't critical

Adobe has attempted to play down the significance of a vulnerability in its internal systems.

Bug hunters at an outfit called Vulnerability Laboratory claimed they had discovered a remote code execution hole in one of the Photoshop giant's main staff-only database systems – a weakness that was only corrected on Saturday. Remote code execution flaws are almost invariably rated critical.

In response to queries from El Reg on the matter, though, Adobe claimed the flaw was a far less severe class of vulnerability.

"This was a cross-site scripting bug in a form used for event marketing registration," an Adobe spokeswoman told El Reg today. "We have since implemented a fix."

Vulnerability Laboratory has disputed Adobe's take, and stands by its own assessment on the severity of the flaw, which, if it is correct, would rate a score of 6.4 in the Common Vulnerability Scoring System.

"At the beginning the engineers thought this [was] only affecting the marketing system by XSS [cross-site scripting] but [ultimately] it was not," Vulnerability Laboratory's Benjamin Kunz Mejri told El Reg.

"[Many] domains [were] affected; the email service was affected; parts of the backend w[h]ere the data was processed [were affected]. The [scheme showing how it works] was delivered at the end to ensure that Adobe understands the impact of the attack."

Mejri added: "An arbitrary code inject, results for sure – at several parts in their infrastructure – in a code execution." He told The Reg that, during its investigation, Vulnerability Lab team did not, of course, attempt to illegally access Adobe's servers, however, they believed it would be possible for miscreants to do so via the bugs they found.

How to attack the Adobe internal systems vulnerability, according to Vulnerability Laboratory

Vulnerability Lab first notified Adobe about the issue in February, and has been working with the vendor in the five months since. Adobe resolved the flaw on Saturday, July 14, allowing Vulnerability Lab to finally go public with its findings on Thursday. ®