CVE-2022-28852: 
Adobe InDesign vulnerability analysis and mitigation

Adobe InDesign versions 16.4.2 (and earlier) and 17.3 (and earlier) were affected by an out-of-bounds write vulnerability, identified as CVE-2022-28852. The vulnerability was discovered by Yonghui Han of Fortinet's FortiGuard Labs in mid-June 2022 and was publicly disclosed on September 16, 2022. This vulnerability specifically affects the decoding of QuarkXPress Drawing 'QXD' files in Adobe InDesign on Windows platforms (Fortinet Blog, NVD).

The vulnerability is classified as an out-of-bounds write vulnerability (CWE-787) that occurs during the processing of QuarkXPress Drawing 'QXD' files. The issue stems from a malformed QXD file causing an out-of-bounds memory write due to an improper bounds check. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD, Fortinet Blog).

If successfully exploited, this vulnerability could result in arbitrary code execution in the context of the current user. The exploitation requires user interaction, specifically opening a malicious file (NVD).

Adobe released security patches to address this vulnerability on September 13, 2022. Users are advised to update to the latest version of Adobe InDesign. Additionally, Fortinet has released an IPS signature 'Adobe.InDesign.CVE-2022-28852.Arbitrary.Code.Execution' to protect their customers from this vulnerability (Fortinet Blog).