Adobe Security Bulletin

Security update available for Adobe Connect

Release date: February 9, 2016

Vulnerability identifier: APSB16-07

Priority: 3

CVE number: CVE-2016-0948, CVE-2016-0949, CVE-2016-0950

Platform: Windows

Summary

Adobe has released a security update for Adobe Connect. This release resolves important input validation and content spoofing issues, and includes a feature to protect users from Cross-Site Request Forgery.

Affected Versions

Product Affected Versions Platform
Adobe Connect 9.4.2 and earlier versions Windows

Solution

Adobe recommends on-premise customers update their installation to the newest version by following the instructions below: 

Product Updated Version Priority rating Availability
Adobe Connect 9.5.2 3 Release Notes

Note: The Adobe Connect 9.5.2 installer for customer on-premise deployments (all supported locales) will be available starting on Feb 11th, 2016. For more details on new features in Connect 9.5.2, please refer to the release notes.

Vulnerability Details

  • This update includes a Cross-Site Request Forgery protection feature (CVE-2016-0948).  
  • This update resolves insufficient input validation in a URL parameter (CVE-2016-0949).
  • This update resolves a vulnerability that could be used to misrepresent information presented in the user interface (content spoofing) (CVE-2016-0950).  

Acknowledgments

Adobe would like to thank the following individuals for reporting these issues and for working with Adobe to help protect our customers:

  • Eugene Dokukin and Francisco Correa (panchocosil) (CVE-2016-0948)
  • Francisco Correa (panchocosil) (CVE-2016-0949)
  • Lawrence Amer (CVE-2016-0950)