Adobe’s September Patch Tuesday offering included a security update fixing an important rated update to Flash Player, along with a total of nine fixes for Cold Fusion, six of which were rated critical.
The Flash Player issue, CVE-2018-15967, fixes a privilege escalation vulnerability that if exploited could lead to information disclosure, Adobe reported. It impacts Adobe Flash Player Desktop Runtime versions 0.0.0.154 and earlier for Windows, macOS, Linux and Chrome OS, Adobe Flash Player for Google Chrome versions 126.96.36.199 and earlier for Windows, macOS, Linux and Chrome OS and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 versions 188.8.131.52 and earlier for Windows 10 and 8.1.
Cold Fusion’s critical issues were CVE-2018-15965, CVE-2018-15957, CVE-2018-15958, CVE-2018-15959, CVE-2018-15961 and CVE-2018-15960, according to the company.
The first four are related to a deserialization of untrusted data problem that could lead to arbitrary code execution. CVE-2018-15961 patches an unrestricted file upload flaw that also could lead to arbitrary code execution and the final vulnerability centres on a use of a component with a known vulnerability problem enabling an attacker to arbitrarily overwrite files.
The two patched vulnerabilities rated important were CVE-2018-15963 and CVE-2018-15962. The former fixes a security bypass that if exploited could lead to information disclosure, while the latter covered an unrestricted file upload leading to a possible arbitrary code execution issue.