Adobe’s June 2019 Patch Tuesday updates address several critical arbitrary code execution vulnerabilities affecting the company’s Flash Player, ColdFusion and Campaign products.
In the ColdFusion web application development platform, which has been known to be targeted by malicious actors, Adobe patched critical command injection, file extension blacklist bypass and deserialization issues that can lead to arbitrary code execution.
The flaws were reported to the software giant by Badcode of Knownsec 404 Team, Moritz Bechler of SySS GmbH, and Brenden Meeder of Booz Allen Hamilton. They impact ColdFusion 2016, 2018 and 11, and separate updates have been released for each version.
Adobe also informed users that remote access to the Adobe LiveCycle Data Management feature has been disabled by default due to security risks.
In Flash Player, Adobe resolved a critical use-after-free bug that can lead to arbitrary code execution. Flash has also been targeted by malicious actors, but with Adobe planning on killing it next year, fewer vulnerabilities have been found in the application in recent months.
Finally, Adobe patched seven types of vulnerabilities in Campaign, a platform for designing and executing digital marketing campaigns. The list of flaws includes information disclosure, arbitrary file read, and code execution issues. Only the code execution weakness has been classified as “critical,” while the rest are either “important” or “moderate.”