Adobe Issues Critical Patches for ColdFusion, Flash Player, Campaign

Posted by & filed under Ειδοποιήσεις.

Adobe has just released the latest June 2019 software updates to address a total 11 security vulnerabilities in its three widely-used products Adobe ColdFusion, Flash Player, and Adobe Campaign.

Out of these, three vulnerabilities affect Adobe ColdFusion, a commercial rapid web application development platform—all critical in severity—that could lead to arbitrary code execution attacks.

Here below you can find brief information about all newly patched ColdFusion flaws:

  • CVE-2019-7838 — This vulnerability has been categorized as “File extension blacklist bypass” and can be exploited if the file uploads directory is web accessible.
  • CVE-2019-7839 — There’s a command injection vulnerability in ColdFusion 2016 and 2018 editions, but it does not impact ColdFusion version 11.
  • CVE-2019-7840 — This flaw originates from the deserialization of untrusted data and also leads to arbitrary code execution on the system.


Besides ColdFusion, Adobe has patched just one vulnerability (CVE-2019-7845) in the infamous Flash Player software this month, which is also critical in severity and leads to arbitrary code execution on the affected Windows, macOS, Linux or Chrome OS-based system.

This flaw was reported by an anonymous cybersecurity researcher to the Adobe and can now be patched by installing the latest Flash player version 32.0.0.207.

 

The rest 7 flaws that Adobe patched this month resides in Adobe Campaign Classic (ACC), an advanced cross-channel marketing and campaign management platform, one of which is critical in severity, three have been rated important and other 3 poses little threat to users.

The only critical flaw (CVE-2019-7843) in Adobe Campaign could allow attackers to execute commands on the affected systems (Windows and Linux) through arbitrary code execution flaw.

At the time of writing, the company is not aware of any in-the-wild exploit for the vulnerabilities it addressed today.

Adobe has released updated versions of all three vulnerable software for each impacted platform that users should install immediately to protect their systems and businesses from cyber attacks.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.