Adobe has issued a hotfix for ColdFusion which fixes the same data loss flaw recently patched in the LiveCycle Data Services application framework.
A hotfix, otherwise known as a Quick Fix Engineering update (QFE update), is a lightweight software patch which does not require a reboot. On Thursday, Adobe issued a hotfix which prevents the exploit of CVE-2015-3269, an XML External Entity (XXE) issue.
"This hotfix resolves an issue associated with the parsing of crafted XML external entities in BlazeDS that could lead to information disclosure," the security advisory states.
According to the National Vulnerability Database, the medium-severity issue is found within the Apache Flex BlazeDS element of Adobe LiveCycle Data Services (LCDS) and ColdFusion.
If exploited, the flaw could allow remote attackers to read arbitrary files through the parsing of crafted XML external entities.
See also: How to disable Flash on Windows, Mac
There are currently no known exploits, but Adobe recommends that administrators ensure their products have been updated within the next 30 days.
In July, Adobe issued fixes for two zero-day exploits uncovered through the Hacking Team information leak. The two critical flaws allowed attackers to remotely take control of vulnerable victim machines.
Read on: Top picks
- How to access Wi-Fi anonymously from miles away
- Apple OS X zero-day flaw hands over root access without system passwords
- Getting physical: A $10 device to clone RFID access keys on the go
- Amazon dreams of drones-only airspace
- Strike the source: RIAA targets BitTorrent protocol to block pirate content
- Three top tips to keep connected cars safe from hackers