Arbitrary Code Execution Vulnerability in Substance3D Painter Could Lead to User Data Theft
CVE-2024-20740

7.8HIGH

Key Information:

Vendor: Adobe
Status: Substance3D - Painter
Vendor: CVE Published:; 15 February 2024

Summary

An out-of-bounds write vulnerability has been identified in Adobe Substance3D Painter versions 9.1.1 and earlier, potentially leading to arbitrary code execution within the context of the current user. Exploitation of this vulnerability necessitates user interaction, as the victim must open a specifically crafted malicious file. This highlights the importance of cautious file handling practices and maintaining updated software versions to mitigate risks associated with such vulnerabilities.

Affected Version(s)

Substance3D - Painter 0 <= 9.1.1

References

https://helpx.adobe.com/security/products/substance3d_pai...

vendor-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 15, 2024
Vulnerability Reserved
Dec 4, 2023