It’s Patch Tuesday week!
Adobe has just released the latest June 2019 software updates to address a total 11 security vulnerabilities in its three widely-used products Adobe ColdFusion, Flash Player, and Adobe Campaign.
Out of these, three vulnerabilities affect Adobe ColdFusion, a commercial rapid web application development platform—all critical in severity—that could lead to arbitrary code execution attacks.
Here below you can find brief information about all newly patched ColdFusion flaws:
- CVE-2019-7838 — This vulnerability has been categorized as “File extension blacklist bypass” and can be exploited if the file uploads directory is web accessible.
- CVE-2019-7839 — There’s a command injection vulnerability in ColdFusion 2016 and 2018 editions, but it does not impact ColdFusion version 11.
- CVE-2019-7840 — This flaw originates from the deserialization of untrusted data and also leads to arbitrary code execution on the system.
Besides ColdFusion, Adobe has patched just one vulnerability (CVE-2019-7845) in the infamous Flash Player software this month, which is also critical in severity and leads to arbitrary code execution on the affected Windows, macOS, Linux or Chrome OS-based system.
This flaw was reported by an anonymous cybersecurity researcher to the Adobe and can now be patched by installing the latest Flash player version 18.104.22.168.
The rest 7 flaws that Adobe patched this month resides in Adobe Campaign Classic (ACC), an advanced cross-channel marketing and campaign management platform, one of which is critical in severity, three have been rated important and other 3 poses little threat to users.
The only critical flaw (CVE-2019-7843) in Adobe Campaign could allow attackers to execute commands on the affected systems (Windows and Linux) through arbitrary code execution flaw.
At the time of writing, the company is not aware of any in-the-wild exploit for the vulnerabilities it addressed today.
Adobe has released updated versions of all three vulnerable software for each impacted platform that users should install immediately to protect their systems and businesses from cyber attacks.