CVE-2023-29310: 
Adobe InDesign vulnerability analysis and mitigation

Adobe InDesign versions ID18.3 (and earlier) and ID17.4.1 (and earlier) are affected by an out-of-bounds read vulnerability (CVE-2023-29310) discovered in March 2023 and patched on July 11, 2023. The vulnerability exists in the decoding of QuarkXPress Drawing 'QXD' files and affects both Windows and macOS platforms (Fortinet Blog, Adobe Advisory).

The vulnerability is classified as an out-of-bounds read vulnerability with a CVSS v3.1 Base Score of 5.5 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The vulnerability is specifically caused by a malformed QXD file, which triggers an out-of-bounds memory read due to an improper bounds check (NVD, Fortinet Blog).

When exploited, this vulnerability could lead to disclosure of sensitive memory information and potentially allow attackers to bypass security mitigations such as ASLR. The vulnerability requires user interaction, specifically opening a malicious file, to be exploited (NVD).

Adobe has released security patches to address this vulnerability. Users are advised to update to ID18.4 for Windows and macOS, or ID17.4.2 for Windows and macOS. Additionally, Fortinet has released an IPS signature Adobe.InDesign.CVE-2023-29310.Memory.Leak to protect their customers (Fortinet Blog).