CVE-2022-28857: 
Adobe InDesign vulnerability analysis and mitigation

CVE-2022-28857 is an Out-of-Bounds Read vulnerability discovered in Adobe InDesign that was disclosed and patched in September 2022. The vulnerability affects Adobe InDesign 2022 version 17.3 and earlier, as well as Adobe InDesign 2021 version 16.4.2 and earlier on Windows platforms. This vulnerability was one of twelve zero-day vulnerabilities discovered by FortiGuard Labs researchers (Fortinet Blog).

The vulnerability is classified as an Out-of-Bounds Read (CWE-125) with a CVSS score of 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). The issue specifically exists in the decoding of QuarkXPress Drawing 'QXD' files in Adobe InDesign. The vulnerability is caused by a malformed QXD file, which triggers an out-of-bounds memory read due to an improper bounds check (Adobe Security, Fortinet Blog).

When exploited, this vulnerability can lead to information leakage, allowing attackers to access sensitive information within the context of the application through a specially crafted QXD file (Fortinet Blog).

Adobe has released security patches to address this vulnerability. Fortinet has also released an IPS signature named Adobe.InDesign.CVE-2022-28857.Memory.Leak to protect their customers. Users are advised to update to the latest version of Adobe InDesign as soon as possible (Fortinet Blog).