Category Archives: Adobe Patch Tuesday

Adobe Patch Tuesday updates fix code execution issues in Campaign, ColdFusion, and Flash

Adobe Patch Tuesday updates for June 2019 address several critical arbitrary code execution flaws in Flash Player, ColdFusion and Campaign products.

Adobe Patch Tuesday security updates for June 2019 address some critical arbitrary code execution vulnerabilities in Flash Player, ColdFusion and Campaign products.

Adobe fixed critical command injection, file extension blacklist bypass and deserialization vulnerabilities in ColdFusion. The vulnerabilities could lead to arbitrary code execution on vulnerable systems. Below the list of flaws in ColdFusion fixed by Adobe:

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
File extension blacklist bypassArbitrary code executionCritical (see note below) CVE-2019-7838
Command InjectionArbitrary code executionCritical (see note below) CVE-2019-7839
Deserialization of untrusted dataArbitrary code executionCritical (see note below) CVE-2019-7840

The issues affect ColdFusion 2016, 2018 and 11.

Adobe credited Badcode of Knownsec 404 Team, Moritz Bechler of SySS GmbH, and Brenden Meeder of Booz Allen Hamilton for reporting the flaw.

Adobe also informed users that remote access to the Adobe LiveCycle Data Management feature has been disabled by default due to security risks.

Adobe Patch Tuesday security updates for June 2019 also address a critical use-after-free vulnerability (CVE-2019-7845) that could lead to arbitrary code execution. The flaw was anonymously reported via Trend Micro’s Zero Day Initiative.

“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address a critical vulnerability in Adobe Flash Player.” reads the security advisory. “Successful exploitation could lead to arbitrary code execution in the context of the current user. ”

Finally, Adobe addressed seven types of vulnerabilities in its Campaign product, including information disclosure, arbitrary file read, and code execution issues. The most severe vulnerability, tracked as CVE-2019-7850, is a critical command injection issue that could lead to arbitrary code execution.

Pierluigi Paganini

(SecurityAffairs – Adobe Patch Tuesday, hacking)

The post Adobe Patch Tuesday updates fix code execution issues in Campaign, ColdFusion, and Flash appeared first on Security Affairs.