Release date: February 9, 2016
Vulnerability identifier: APSB16-07
CVE number: CVE-2016-0948, CVE-2016-0949, CVE-2016-0950
Adobe has released a security update for Adobe Connect. This release resolves important input validation and content spoofing issues, and includes a feature to protect users from Cross-Site Request Forgery.
Adobe recommends on-premise customers update their installation to the newest version by following the instructions below:
Note: The Adobe Connect 9.5.2 installer for customer on-premise deployments (all supported locales) will be available starting on Feb 11th, 2016. For more details on new features in Connect 9.5.2, please refer to the release notes.
- This update includes a Cross-Site Request Forgery protection feature (CVE-2016-0948).
- This update resolves insufficient input validation in a URL parameter (CVE-2016-0949).
- This update resolves a vulnerability that could be used to misrepresent information presented in the user interface (content spoofing) (CVE-2016-0950).
Adobe would like to thank the following individuals for reporting these issues and for working with Adobe to help protect our customers:
- Eugene Dokukin and Francisco Correa (panchocosil) (CVE-2016-0948)
- Francisco Correa (panchocosil) (CVE-2016-0949)
- Lawrence Amer (CVE-2016-0950)