CVE-2023-29317: 
Adobe InDesign vulnerability analysis and mitigation

Adobe InDesign versions ID18.3 (and earlier) and ID17.4.1 (and earlier) are affected by an out-of-bounds read vulnerability (CVE-2023-29317) discovered in March 2023 and disclosed on July 11, 2023. The vulnerability exists in the decoding of QuarkXPress Drawing (QXD) files and affects both Windows and macOS platforms (Adobe Security, Fortinet Research).

The vulnerability is caused by a malformed QXD file, which triggers an out-of-bounds memory read due to an improper bounds check. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The weakness is classified as CWE-125 (Out-of-bounds Read) (NVD).

When exploited, this vulnerability could lead to the disclosure of sensitive memory information and potentially allow attackers to bypass security mitigations such as ASLR. The exploitation requires user interaction, specifically opening a malicious file (NVD, Fortinet Research).

Adobe has released security patches to address this vulnerability. Users are advised to update to the latest version of Adobe InDesign. Additionally, FortiGuard Labs has implemented protective measures through their IPS signature system, and FortiEDR can detect and prevent the exploitation of this vulnerability (Fortinet Research).