Today Adobe released security updates for Flash Player and ColdFusion as part of their September 2018 monthly patch Tuesday. These updates fix numerous information disclosure vulnerabilities and critical vulnerabilities in ColdFusion that could allow attackers to remotely execute commands on a vulnerable server.
Users of affected products are strongly advised to update them to the latest versions.
Adobe has released a security update for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. This update addresses an information disclosure vulnerability in Adobe Flash Player 22.214.171.124 and earlier versions that was reported by Microsoft’s Security Response Center
After this update is installed, Adobe Flash Player will be at version 126.96.36.199. It does not appear that this vulnerability was being actively used in the wild.
|Vulnerability Category||Vulnerability Impact||Severity||CVE Number|
|Privilege Escalation||Information Disclosure||Important||CVE-2018-15967|
Adobe has released a security update for ColdFusion versions 2018, 2016 and 11 that fixes numerous vulnerabilities, including five critical ones that could allow the execution of code on the server by a remote attacker and another that could allow files to be overwritten.
Also patched are two information disclosure vulnerabilities and one that could allow for the creation of folders. It is not know if these vulnerabilities have been actively used in attacks.
As part of this security bulletin, Adobe recommends that all ColdFusion customers follow the lockdown guides for their respective versions of ColdFusion as described below.
Adobe also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.
|Vulnerability Category||Vulnerability Impact||Severity||CVE Numbers|
|Deserialization of untrusted data||Arbitrary code execution||Critical||
|Use of a component with a known vulnerability||Information Disclosure||Moderate||CVE-2018-15964|
|Security bypass||Arbitrary folder creation||Important||CVE-2018-15963|
|Directory listing||Information Disclosure||Important||CVE-2018-15962|
|Unrestricted file upload||Arbitrary code execution||Critical||CVE-2018-15961|
|Use of a component with a known vulnerability||Arbitrary file overwrite||Critical||CVE-2018-15960|