Coldfusion training

Patch Tuesday: critical flaws in ColdFusion, Adobe Commerce

Software maker Adobe released security patches for 29 documented vulnerabilities across multiple enterprise products on Tuesday and warned that hackers could exploit the bugs to take full control of vulnerable machines.

As part of its planned Patch Tuesday release cycle, Adobe warned that the vulnerabilities could leave Windows and macOS users exposed to arbitrary code execution, arbitrary filesystem writes, security feature bypass, and privilege escalation attacks.

The most urgent of the fixes covers security flaws in the 2021 and 2018 versions of ColdFusion. According to a critical review from Adobe, a total of 13 ColdFusion flaws have been patched, with some carrying a CVSS severity rating of 9.8/10.

Adobe’s Security Response Team also sent a high-priority patch for Adobe Commerce and Magento Open Source software with a warning that a critical-level bug could expose users to arbitrary code execution attacks. .

[ READ: Fortinet Confirms Zero-Day Vulnerability Exploited in One Attack ]

The Adobe Commerce and Magento Open Source flaw – CVE-2022-35698 – is described as a Cross-Site Scripting (Stored XSS) bug with a CVSS severity rating of 10/10.

The company also fixed nine documented bugs in the Adobe Dimension product and warned that Windows and macOS users were at risk of code execution and memory leak attacks. The Adobe Dimension bulletin carries the maximum critical severity level.

Adobe also released patches to cover half a dozen flaws affecting widely deployed Adobe Acrobat and Reader software.

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS.

“These updates address important vulnerabilities. Successful exploitation could lead to application denial of service and memory leak,” Adobe said.

The company said it was not aware of any attacks in the wild exploiting any of the documented vulnerabilities.

Related: Fortinet Confirms Zero-Day Vulnerability Was Exploited In A Single Attack

Related: Microsoft Dismisses False Reports of Patch Ending Tuesday

Related: Patch Tuesday: Microsoft Draws Attention To Windows ‘Wormable’ Flaw

Ryan Naraine is editor of SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a seasoned cybersecurity strategist who has implemented security engagement programs for major global brands including Intel Corp., Bishop Fox and GReAT. He is co-founder of Threatpost and the SAS Global Conference Series. Ryan’s previous career as a security journalist included articles in major technology publications, including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World. Ryan is a director of the nonprofit organization Security Tinkerers, an advisor to startup entrepreneurs, and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Previous columns by Ryan Naraine:
Key words: