CVE-2023-29308: 
Adobe InDesign vulnerability analysis and mitigation

Adobe InDesign versions ID18.3 (and earlier) and ID17.4.1 (and earlier) are affected by an out-of-bounds write vulnerability (CVE-2023-29308) that was discovered in March 2023 and patched on July 11, 2023. The vulnerability affects both Windows and macOS platforms and occurs when decoding QuarkXPress Drawing 'QXD' files. This security flaw could result in arbitrary code execution in the context of the current user, requiring user interaction through opening a malicious file (Adobe Advisory, SOCRadar).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is specifically caused by a malformed QXD file, which triggers an out-of-bounds memory write due to an improper bounds check. The flaw exists in the decoding process of QuarkXPress Drawing 'QXD' files in Adobe InDesign (Fortinet Blog).

If successfully exploited, this vulnerability could allow attackers to execute arbitrary code within the context of the current user. This means an attacker could potentially gain the same level of access and privileges as the user running the application, potentially leading to unauthorized control over the affected system (NVD, Fortinet Blog).

Adobe has released security patches to address this vulnerability. Users are strongly advised to update their Adobe InDesign installations to version ID18.4 for Windows and macOS, or ID17.4.2 for Windows and macOS. Additionally, Fortinet has released IPS signature Adobe.InDesign.CVE-2023-29308.Arbitrary.Code.Execution to protect their customers (Fortinet Blog).