October 28, Securityweek – (International) Adobe patches critical vulnerability in Shockwave Player. Adobe released a patch resolving a memory corruption vulnerability in its Shockwave Player 12.2.0.162 for Windows and Mac user after researchers from Fortinet’s Fortiguard Labs discovered that the vulnerability allowed attackers to compromise remote computers and execute remote code, allowing full control of the operating system without the victim being aware. Source
October 28, Softpedia – (International) Oracle EBS fixed against XSS, XXE, and SQL injection vulnerabilities. Oracle released patches for 154 fixes addressing vulnerabilities in several of its products including six found by ERPScan researchers in the Oracle E-Business Suite (Oracle EBS) including 3 XXE (XML External Entity) injection vulnerabilities, a user enumeration flaw, a cross-site scripting (XSS) problem, and a Structured Query Language (SQL) flaw that could potentially give attackers administrative rights over the Oracle EBS and its subsequent applications to access sensitive company data including financial, human resources, supply chain, and customer support departments. Source
October 28, Securityweek – (International) Flaws in Rockwell PLCs expose operational networks. Rockwell Automation released firmware updates and mitigations addressing several vulnerabilities in its 1400 programmable logic controllers (PLCs) and its MicroLogix 1100 products including a buffer overflow bug that remotely crashes affected devices or executes arbitrary code, and a denial-of-service (DoS) bug dubbed “FrostyURL” that can be exploited to crash MicroLogix PLCs via a specially crafted uniform resource locator (URL) sent to victims through email, and a cross-site scripting (XSS) vulnerability that can be exploited to inject malicious JavaScript code in a device’s web server, among others. Source