Lucene search

K
thnThe Hacker NewsTHN:C9C46E3C63DA812F6C22E297AB5F14C3
HistoryJun 11, 2019 - 2:33 p.m.

Adobe Issues Critical Patches for ColdFusion, Flash Player, Campaign

2019-06-1114:33:00
The Hacker News
thehackernews.com
75

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.69 Medium

EPSS

Percentile

98.0%

adobe-software-updates-june

It’s Patch Tuesday week!

Adobe has just released the latest June 2019 software updates to address a total 11 security vulnerabilities in its three widely-used products Adobe ColdFusion, Flash Player, and Adobe Campaign.

Out of these, three vulnerabilities affect Adobe ColdFusion, a commercial rapid web application development platform—all critical in severity—that could lead to arbitrary code execution attacks.

Here below you can find brief information about all newly patched ColdFusion flaws:

  • CVE-2019-7838— This vulnerability has been categorized as “File extension blacklist bypass” and can be exploited if the file uploads directory is web accessible.
  • CVE-2019-7839 — There’s a command injection vulnerability in ColdFusion 2016 and 2018 editions, but it does not impact ColdFusion version 11.
  • CVE-2019-7840— This flaw originates from the deserialization of untrusted data and also leads to arbitrary code execution on the system.

Besides ColdFusion, Adobe has patched just one vulnerability (CVE-2019-7845) in the infamous Flash Player software this month, which is also critical in severity and leads to arbitrary code execution on the affected Windows, macOS, Linux or Chrome OS-based system.

This flaw was reported by an anonymous cybersecurity researcher to the Adobe and can now be patched by installing the latest Flash player version 32.0.0.207.

The rest 7 flaws that Adobe patched this month resides in Adobe Campaign Classic (ACC), an advanced cross-channel marketing and campaign management platform, one of which is critical in severity, three have been rated important and other 3 poses little threat to users.

The only critical flaw (CVE-2019-7843) in Adobe Campaign could allow attackers to execute commands on the affected systems (Windows and Linux) through arbitrary code execution flaw.

At the time of writing, the company is not aware of any in-the-wild exploit for the vulnerabilities it addressed today.

Adobe has released updated versions of all three vulnerable software for each impacted platform that users should install immediately to protect their systems and businesses from cyber attacks.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.69 Medium

EPSS

Percentile

98.0%