CVE-2024-20766: 
Adobe InDesign vulnerability analysis and mitigation

Adobe InDesign Desktop versions 18.5.1, 19.2 and earlier are affected by an out-of-bounds read vulnerability identified as CVE-2024-20766. The vulnerability was discovered and reported by security researcher Francis Provencher (prl), with the initial CVE record being created on December 4, 2023. This security issue affects both Windows and macOS operating systems running the specified versions of InDesign (Adobe Advisory).

The vulnerability is classified as an out-of-bounds read issue (CWE-125) that could potentially expose sensitive memory information. The severity is rated as MEDIUM with a CVSS v3.1 base score of 5.5 (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). This scoring indicates that the vulnerability requires local access and user interaction, has no impact on integrity or availability, but could result in high confidentiality impact (NVD).

The vulnerability could lead to the disclosure of sensitive memory information and potentially allow attackers to bypass security mitigations such as Address Space Layout Randomization (ASLR). This type of vulnerability could expose sensitive data stored in memory, potentially compromising system security (CVE).

Adobe has addressed this vulnerability by releasing version 18.5.2 for the 18.x branch and version 19.3 for the 19.x branch. Users are advised to update their InDesign installations to these or later versions to mitigate the vulnerability (Adobe Advisory).