Adobe Issues HotFix For ColdFusion

Adobe this afternoon released hotfixes and security updates for three of its products that patch a handful of vulnerabilities, none of which are being publicly exploited.

The most serious vulnerabilities were in ColdFusion, Adobe’s web application development platform. The hotfix affects ColdFusion 11 Update 6 and earlier, and ColdFusion 10 Update 17 and earlier; users should upgrade to 11 Update 7 and 10 Update 18.

“This hotfix resolves two input validation issues that could be used in reflected cross-site scripting attacks,” Adobe said in its advisory. “This hotfix also includes an updated version of BlazeDS that resolves an important server-side request forgery vulnerability.”

Adobe also released security updates for LiveCycle Data Services, affecting versions 4.7, 4.6.2, 4.5, 3.1 and 3.0.x on Windows, Mac OS X and UNIX machines. LiveCycle Data Services is Adobe’s application framework.

The update patches the same server-side request forgery vulnerability patched in ColdFusion (CVE-2015-5255) and also includes a new version of BlazeDS, a Java-based remote messaging feature included in both products. James Kettle of PortSwigger Web Security is credited with reporting the issue to Adobe.

Finally, Adobe released a security update for Premiere Clip for iOS, patching an input validation vulnerability in versions 1.1.1 of the mobile video-editing application.

This is the second ColdFusion and LiveCycle Data Services update since August, when Adobe patched the products twice in a nine-day period.