Adobe has issued unscheduled patches for vulnerabilities rated “important” across its Experience Manager platform, which allows developers to create mobile apps, social campaigns and landing pages.
Overall, Adobe issued three fixes, including an “important” flaw (CVE-2018-19726) and a “moderate” flaw (CVE-2018-19727) in its Adobe Experience Manager, and an “important” vulnerability (CVE-2018-19724) in its Adobe Experience Manager Forms.
The important vulnerability in Adobe’s Experience Manager platform impacts versions 6.0 through 6.4 of the product. The flaw is a stored cross-site scripting glitch that could lead to sensitive information disclosure.
Stored cross-site scripting is the most dangerous type of cross-site scripting, according to researchers with Imperva. This type of attack occurs when a web application gathers potentially malicious input from a user – and then stores that input in a data store for later use. The attack could potentially be used to hijack another user’s browser, capture sensitive information, or other malicious uses.
Adobe said that the update for this is a priority 2, meaning that it resolves flaws in a product that have historically been at elevated risk – but there are currently no known exploits.
The moderate-rated severity meanwhile is a reflected cross-site scripting vulnerability that could lead to sensitive information disclosure. This flaw specifically impacts Adobe Experience Manager versions 6.3 and 6.4.
Reflected cross-site scripting occurs when attackers injects browser executable codes in a single HTTP response. This type of injected attack is less severe because it is not stored within the application itself. Instead, the attack is non-persistent and only impacts users who open a maliciously crafted third-party web page.
On the Experience Manager Forms front, Adobe released a fix for an important stored cross-site scripting flaw. The forms are often used in large enterprises to create and reuse various digital forms by copying them to a content management system.
“Adobe has released security updates for Adobe Experience Manager Forms,” the company said in its release. “These updates resolve a stored cross-site scripting vulnerability rated important that could result in sensitive information disclosure.”
The flaw specifically impacts versions 6.2, 6.3, and 6.4 of Adobe Experience Manager Forms, and is also a priority-2 update. Researcher Adam Willard was credited with reporting the flaw.
Adobe’s latest fixes come after its regularly scheduled update in January where it released patches for two bugs rated important in its Adobe Digital Edition and Adobe Connect products. The two important vulnerabilities include an information-disclosure bug in Adobe’s eBook reader software program, Digital Edition; as well as a session-token exposure bug in its presentation and web conferencing software, Adobe Connect.
In another unscheduled update in January, the company fixed two critical flaws in Adobe Acrobat and Reader for Windows and MacOS. The two critical vulnerabilities, CVE-2018-16011 and CVE-2018-19725, could be successfully exploited to carry out arbitrary code execution in the context of the current user.