Adobe has released hotfixes and security updates for three of its products that patch a handful of vulnerabilities, none of which are being publicly exploited. The most serious vulnerabilities were in ColdFusion, Adobe’s web application development platform. The hotfix affects ColdFusion 11 Update 6 and earlier, and ColdFusion 10 Update 17 and earlier; users should upgrade to 11 Update 7 and 10 Update 18. This hotfix resolves two input validation issues that could be used in reflected cross-site scripting attacks. This hotfix also includes an updated version of BlazeDS that resolves an important server-side request forgery vulnerability. Adobe also released security updates for LiveCycle Data Services, affecting versions 4.7, 4.6.2, 4.5, 3.1 and 3.0.x on Windows, Mac OS X and UNIX machines. LiveCycle Data Services is Adobe’s application framework. The update patches the same server-side request forgery vulnerability patched in ColdFusion and also includes a new version of BlazeDS, a Java-based remote messaging feature included in both products.
The information provided herein is on "as is" basis, without warranty of any kind.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street