Adobe releases third patch update of the month to squash scripting bugs
Adobe has released its third security update of the month with a fresh round of patches to resolve bugs in Adobe Experience Manager and Adobe Experience Manager Forms.
On Tuesday, the software giant published a security advisory which detailed two vulnerabilities, deemed 'moderate' and 'important,' which have now been resolved in the main content management solution, alongside a single security flaw in Adobe Experience Manager Forms, a digital forms creator within the main suite.
Security
The first vulnerability, CVE-2018-19726, is a stored cross-site scripting vulnerability and impacts Adobe Experience Manager versions 6.0, 6.1, 6.2, 6.3, and 6.4 on all platforms.
See also: DarkHydrus abuses Google Drive to spread RogueRobin Trojan
The second security flaw, CVE-2018-19727, is a reflected cross-site scripting vulnerability which only affects Adobe Experience Manager versions 6.3 and 6.4.
The vulnerability impacting Adobe Experience Manager Forms is CVE-2018-19724, a stored cross-site scripting bug, deemed 'important,' which can lead to sensitive information disclosure if exploited. Adobe Experience Manager Forms versions 6.2, 6.3, and 6.4 on all platforms are affected.
CNET: Even if you're off social media, your friends could be ruining your privacy
Adobe recommends that users accept updates to their software builds immediately to mitigate the risk of exploit.
TechRepublic: Hackers turn to data theft and resale on the Dark Web for higher payouts
This is the third release this month by Adobe to resolve security vulnerabilities in the firm's software. In the first release of January, Adobe patched critical bugs in Adobe Acrobat and Reader which, if exploited, could lead to privilege escalation and the execution of arbitrary code (CVE-2018-19725, CVE-2018-16011).
The second security update centered around Adobe Connect and Digital Editions. This round of patches fixed two vulnerabilities, CVE-2018-19718, and CVE-2018-12817, which have the potential to expose session tokens and leak sensitive information.
In related news this month, security researchers released three micropatches for a set of Windows zero-day vulnerabilities of which exploit code has been released online. Microsoft is yet to patch the bugs.