"For December, Adobe released five bulletins addressing 139 unique CVEs in Adobe Reader, ColdFusion, Experience Manager, Creative Cloud Desktop, and the Adobe DNG Software Development Kit (SDK). Don't panic at that large of a CVE count. Most of those are simple cross-site scripting (XSS) bugs in Adobe Experience Manager. There are a few Critical-rated DOM-based XSS bugs in the mix, so don't ignore this patch by any means - just don't panic at the large number of CVEs."
"I wouldn't panic over the update for ColdFusion either, but Adobe does set the deployment priority for this fix as 1. They note there are no known active attacks for the CVEs, but there are several arbitrary code execution bugs being fixed. Also, if you're running ColdFusion, make sure you check out one of their lockdown guides. The one for ColdFusion 2025 can be found here."
Adobe released five bulletins addressing 139 unique CVEs across Adobe Reader, ColdFusion, Experience Manager, Creative Cloud Desktop, and the Adobe DNG SDK. Most of the CVEs are cross-site scripting (XSS) bugs in Experience Manager, including several Critical-rated DOM-based XSS flaws. Adobe set ColdFusion deployment priority to 1 due to several arbitrary code execution vulnerabilities, though no active attacks were reported at release. Adobe Reader update fixes four CVEs with two leading to code execution; DNG SDK patch fixes four CVEs including one code-execution bug; Creative Cloud Desktop fixes a single Important-rated vulnerability. All Adobe updates except ColdFusion carry deployment priority 3. Microsoft released 56 new Windows CVEs at the end of the year. A Patch Report webcast recap will be posted to YouTube within a couple of hours after the release.
Read at Zero Day Initiative
Unable to calculate read time
Collection
[
|
...
]