==================================================================== CERT-Renater Note d'Information No. 2018/VULN101 _____________________________________________________________________ DATE : 14/03/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Adobe Connect versions prior to 9.7.5. ===================================================================== https://helpx.adobe.com/security/products/connect/apsb18-06.html _____________________________________________________________________ Security updates available for Adobe Connect | APSB18-06 +-----------------------------------------------------------------------------+ |Bulletin ID |Date Published |Priority | |-------------------------+--------------------------------+------------------| |APSB18-06 |March 13, 2018 |3 | +-----------------------------------------------------------------------------+ Summary Adobe has released a security update for Adobe Connect. This update resolves an unrestricted SWF file upload vulnerability (CVE-2018-4921), which could be exploited to conduct cross-site scripting attacks. This update also resolves an OS command injection vulnerability in the Adobe Connect URI handler on Windows (CVE-2018-4923) that could result in unintended arbitrary local file removal or forced uninstall of the application. Affected product versions +-----------------------------------------------------------------------------+ | Product | Version | Platform | |---------------------------------------+--------------------+----------------| |Adobe Connect |9.7 and earlier | All | +-----------------------------------------------------------------------------+ Solution Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version: +-----------------------------------------------------------------------------+ |Product |Version |Platform |Priority |Availability | |-------------------+----------+-----------+-----------+----------------------| |Adobe Connect |9.7.5 |All |3 |Release note | +-----------------------------------------------------------------------------+ Vulnerability details +-----------------------------------------------------------------------------+ |Vulnerability Category |Vulnerability Impact |Severity |CVE Number| |-----------------------------+-----------------------+---------+-------------| |OS Command Injection |Arbitrary file deletion|Important| CVE-2018-4923| |-----------------------------+-----------------------+---------+-------------| |Unrestricted SWF File Upload |Information disclosure |Important| CVE-2018-4921| +-----------------------------------------------------------------------------+ Acknowledgments Adobe would like to thank the following individuals for reporting these issues and for working with Adobe to help protect our customers: * Ciaran McNally (CVE-2018-4921) * Rgod (CVE-2018-4923) ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================