CVE-2024-45146: 
Adobe Dimension vulnerability analysis and mitigation

Adobe Dimension versions 4.0.3 and earlier are affected by a Use After Free vulnerability (CVE-2024-45146) that could result in arbitrary code execution in the context of the current user. The vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and was publicly disclosed on October 8, 2024 (NVD, ZDI).

The vulnerability exists within the parsing of SKP files and results from the lack of validating the existence of an object prior to performing operations on the object. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-416 (Use After Free) (ZDI, NVD).

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the current user. This could potentially lead to the installation of programs, viewing or modification of data, or creation of new accounts with full user rights, depending on the user's privileges (CIS Advisory).

Adobe has released an update to address this vulnerability. Users are advised to update to the latest version of Adobe Dimension. The vulnerability affects both Windows and macOS operating systems (Adobe Advisory).