==================================================================== CERT-Renater Note d'Information No. 2017/VULN040 _____________________________________________________________________ DATE : 15/02/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Adobe Campaign versions 6.11 prior to 16.8 Build 8757. ===================================================================== https://helpx.adobe.com/security/products/campaign/apsb17-06.html ____________________________________________________________________ Adobe Security Bulletin Security update available for Adobe Campaign Release date: February 14, 2017 Vulnerability identifier: APSB17-06 Priority: 3 CVE number: CVE-2017-2968, CVE-2017-2969 Platform: Windows and Linux Summary Adobe has released a security update for Adobe Campaign v6.11 for Windows and Linux. This update resolves a moderate security bypass affecting the Adobe Campaign client console. An authenticated user with access to the client console could upload and execute a malicious file, potentially resulting in read and write access to the system (CVE-2017-2968). This update also resolves a moderate input validation issue that could be used in cross-site scripting attacks (CVE-2017-2969). Affected versions Product Affected version Platform Adobe Campaign v6.11 16.4 Build 8724 and earlier versions Windows and Linux Solution Adobe categorizes these updates with the following priority rating and recommends users update their installation to the newest version: Product Updated version Platform Priority rating Availability Adobe Campaign v6.11 16.8 Build 8757 and later versions Windows and Linux 3 Release Notes Customers may refer to the FAQ for instructions on downloading the latest build. For customers with Adobe Campaign 16.4 Build 8724 and earlier, please refer to the documentation page for instructions to resolve CVE-2017-2968 by restricting uploads by file type. Please refer to this documentation page for assistance in upgrading Adobe Campaign server, and this documentation page for assistance in upgrading the Client Console. Vulnerability Details This update resolves a moderate security bypass affecting Adobe Campaign that could be exploited by an authenticated user with access to the client console. Successful exploitation could lead to read and write access to the system (CVE-2017-2968). This update resolves a moderate input validation issue that could be used in cross-site scripting attacks (CVE-2017-2969). Acknowledgments Adobe would like to thank Léa NUEL for reporting these issues (CVE-2017-2968 and CVE-2017-2969) and for working with Adobe to help protect our customers. ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================