This week, Adobe has rolled-out their monthly security updates. This time, the updates address relatively much fewer security flaws. Moreover, the updates do not focus on any popular Adobe products, like Flash Player or Reader. Rather, the patches aim at Adobe Experience Manager, Adobe Bridge CC, and Dreamweaver. Below is a quick round-up of Adobe July Patch Tuesday.
Multiple Vulnerabilities Patched In Adobe Experience Manager
With July updates, Adobe has fixed three different vulnerabilities in Adobe Experience Manager. These include two important vulnerabilities and a single moderate-severity flaw. As stated in their advisory, these vulnerabilities, upon exploit, could result in disclosure of sensitive information.
Among these, the important security flaws include a cross-site request forgery (CVE-2019-7953) and stored cross-site scripting (CVE-2019-7954).
Besides, the moderate severity flaw included a reflected cross-site scripting vulnerability (CVE-2019-7955). The vendors acknowledged Lorenzo Pirondini for reporting this flaw.
The Adobe Experience Manager versions affected by these vulnerabilities include 6.0, 6.1, 6.2, 6.3, and 6.4. Adobe has fixed all these vulnerabilities in the respective AEM versions 6.3, 6.4, and 6.5.
Other Adobe July Patch Tuesday Fixes
In addition to the above, Adobe Patch Tuesday updates also address a single flaw each in Adobe Bridge CC and Adobe Dreamweaver.
Regarding Adobe Bridge CC, an important out-of-bounds read vulnerability (CVE-2019-7963) existed that could result in information disclosure. As stated in Adobe’s advisory,
A vulnerability… occurs when parsing malformed SVG images. This can result in an out-of-bounds memory read which leads to information (memory address) disclosure in the context of current user.
The vulnerability specifically affected the Adobe Bridge CC versions 9.0.2 and earlier. Whereas, the vendors fixed the flaw with version 9.1. They also credited Trend Micro’s Zero Day Initiative researcher, Francis Provencher, for reporting the flaw.
As for the vulnerability in Adobe Dreamweaver, an important Insecure Library Loading (DLL hijacking) flaw affected the Adobe Dreamweaver direct download installer versions including and prior to 19.0 and 18.0. This important vulnerability (CVE-2019-7956) could lead to privilege escalation upon an exploit.
Adobe has fixed this flaw with the release of Adobe Dreamweaver direct download installer 2019 and 2018 releases. Besides, Adobe also thanked the researcher, Honc, in their advisory for reporting this issue.
Users of the respective Adobe products must ensure updating their systems to the patched software versions.
Take your time to comment on this article.