Adobe Security Bulletin

Last updated on

Security hotfix available for RoboHelp Server  | APSB23-53

Bulletin ID	Date Published	Priority
ASPB23-53	November 14, 2023	3

Summary

Adobe has released a security update for RoboHelp Server. This update resolves vulnerabilities rated critical and important. Successful exploitation could lead to arbitrary code execution and memory leak in the context of the current user.

Affected Versions

Product	Affected version	Platform
RoboHelp Server	RHS 11.4 and earlier versions	Windows

Solution

Adobe categorizes these updates with the following priority rating and recommends users update their installation to the newest version: 

Product	Version	Platform	Priority rating	Availability
RoboHelp Server	RHS 11 Update 5 (11.5)	Windows	3	Release notes

Vulnerability Details

Vulnerability Category	Vulnerability Impact	Severity	CVSS base score	CVSS vector	CVE Numbers
Information Exposure (CWE-200)	Memory leak	Critical	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	CVE-2023-22272
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)	Arbitrary code execution	Critical	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	CVE-2023-22273
Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)	Memory leak	Critical	8.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L	CVE-2023-22274
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)	Memory leak	Critical	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	CVE-2023-22275
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)	Memory leak	Important	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	CVE-2023-22268

Acknowledgments

Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:    

Anonymous working with Trend Micro Zero Day Initiative - CVE-2023-22272, CVE-2023-22273, CVE-2023-22274, CVE-2023-22275, CVE-2023-22268

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Adobe

Get help faster and easier

New user?