Accessibility

Security Bulletins

Macromedia uses the Security Zone to periodically publish security bulletins and technical briefs that provide information to customers about issues we believe are significant. The Security Zone only lists hot fixes and updates relating to security issues. Please visit the Latest Product Updates page for a list of other product updates.

Adobe Security

Adobe Logo

For security bulletins pertaining to Adobe products and solutions please visit the Adobe Security home.


Macromedia is now Adobe. Learn more ›


Latest Notices

APSB06-03 Flash Player Update to Address Security Vulnerabilities
Critical vulnerabilities have been identified in Flash Player that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system.
* March 14, 2006

APSB06-02 Improper Memory Access Vulnerability in Macromedia Shockwave Player by Adobe
A vulnerability in the Shockwave Player ActiveX installer has been identified that could allow the execution of arbitrary code.
* February 23, 2006

MPSB05-14 Cumulative Security Updater for ColdFusion MX 7
This is a cumulative security updater for ColdFusion MX 7 server that includes all previously released patches.
* December 15, 2005

MPSB05-13 Cumulative Security Updater for JRun 4.0 server
This is a cumulative security updater for JRun server that includes all previously released patches for 4.0
* December 15, 2005

MPSB05-12 Sandbox Security and CFMAIL Vulnerability in ColdFusion MX 6.X
This bulletin addresses two (2) privately reported security issues with ColdFusion 6.X.
* December 15, 2005

MPSB05-11 Administrator Interface Denial of Service Vulnerability in Flash Media Server
This bulletin addresses a publicly reported security issues with Flash Media Server.
* December 15, 2005

MPSB05-10 Security Patch for Insufficient Validation in Breeze Communication Server and Breeze Live Server
The Breeze Communication Server and Breeze Live Server do not sufficiently validate some RTMP data. This can cause server instability or crashes for licensed customers.
* November 15, 2005

MPSB05-09 Security Patch for Insufficient Validation in Flash Communication Server
Flash Communication Server MX does not sufficiently validate some RTMP data. This can cause server instability or crashes.
* November 15, 2005

MPSB05-08 Contribute Publishing Server Password Encryption
Macromedia Contribute Publishing Server (CPS) 1.11 includes a security update which addresses an issue related to user password encryption in connection keys that use shared FTP login credentials.
* November 15, 2005

MPSB05-07 Flash Player 7 Improper Memory Access Vulnerability
A vulnerability in Macromedia Flash Player 7 has been identified that could allow the execution of arbitrary code.
* November 4, 2005

MPSB05-06 Breeze 5.0 Password Reset Encryption
Macromedia Breeze 5.1 includes a security update which addresses an issue related to user password encryption in the database when resetting passwords in Macromedia Breeze 5.0.
* September 29, 2005

MPSB05-05 Security Patch available for JRun 4.0 token collision
Under high load, JRun may generate two sessions with the same authentication token. This cannot be controlled by an attacker and it occurs very rarely, but it may cause two authenticated users to share information from a single user session.
* July 14, 2005

MPSB05-04 Potential Security Risk with Macromedia eLicensing Client Activation Code
Windows versions of the Macromedia installers and eLicensing client install a service with permissions that allow any member of the "Users" group to modify the service settings. This may allow local users to obtain the permissions of the "Local System" account.
* June 9, 2005

MPSB05-01 Skulls.D Trojan Using "Macromedia Flash" As Name
F-Secure has reported a Trojan for the Symbian OS distributed in files named "Flash_1.1_Full_DotSiS.sis", "Macromedia_Flash_1.1_Full_DotSiS.sis", and similar variants. These files are not distributed by Macromedia and do not contain any software built by Macromedia. Users should not execute these files.
* January 6, 2005

Get notified of new Macromedia Security Bulletins by email.

Product Index



Macromedia MX 2004 products
Brief Originally Posted Last Updated
MPSB04-07: Macromedia Products Not Affected by Microsoft JPEG/GDIPlus Vulnerability Sept 22, 2004 Sept 22, 2004
MPSB04-03: Potential Security Risk with Macromedia E-Licensing Client Activation Code Mar 12, 2004 Mar 12, 2004
Back to top

Dreamweaver MX
Brief Originally Posted Last Updated
MPSB04-05: Potential Risk in Dreamweaver Remote Database Connectivity April 2, 2004 April 2, 2004
MPSB03-05: Patch and Work Around for Dreamweaver MX, DRK, and UltraDev Server Behaviors Aug 19, 2003 Aug 19, 2003
Back to top

Macromedia Flash Player
Brief Originally Posted Last Updated
MPSB03-08: Update to Flash Player Addressing Local Shared Object Security Dec 16, 2003 Dec 16, 2003
MPSB03-03: Security Patch for Macromedia Flash Player Mar 3, 2003 Mar 11, 2003
MPSB02-15: Macromedia Flash Malformed Header Vulnerability Issue Dec 12, 2002 Dec 12, 2002
MPSB02-09: Macromedia Flash Malformed Header Vulnerability Issue Aug 8, 2002 Aug 8, 2002
MPSB02-10: Macromedia Flash URL Modification Issue Aug 8, 2002 Aug 8, 2002
MPSB02-08: Macromedia Flash Player Cross Server Scripting Security Issue June 13, 2002 June 13, 2002
Back to top

Macromedia Shockwave Player
Brief Originally Posted Last Updated
MPSB02-11: Macromedia Shockwave URL Modification Issue Nov 27, 2001 Nov 27, 2001
Back to top

ColdFusion 7
Brief Originally Posted Last Updated
MPSB05-03: ColdFusion MX 7 cross-site scripting in default error page May 10, 2005 May 10, 2005
Back to top

ColdFusion MX 6.1
Brief Originally Posted Last Updated
MPSB05-02 Workaround available for ColdFusion MX 6.1 Updater file disclosure April 7, 2005 April 7, 2005
MPSB04-10 The CFOBJECT tag and CreateObject functions should be secured in a shared or untrusted developer environment October 8, 2004 October 8, 2004
MPSB04-09: Cumulative Security Patch available for ColdFusion MX September 23, 2004 September 23, 2004
MPSB04-06: Security Patch available for ColdFusion MX 6.1 File Upload Denial of service April 15, 2004 April 15, 2004
MPSB04-01: Security Patch available for ColdFusion MX sandbox security Jan 28, 2004 Jan 28, 2004
MPSB04-02: Security Patch available for ColdFusion MX 6.1 form fields Denial of service Jan 28, 2004 Jan 28, 2004
MPSB03-07: Security Patch available for ColdFusion MX and JRun 4.0 Web Services DoS Dec 9, 2003 Dec 10, 2003
MPSB03-06: Security Patch Available for ColdFusion MX/ColdFusion Cross-Site Scripting Vulnerability with Default Error Handlers Sept 18, 2003 Sept 18, 2003
MPSB03-04: Patch for Apache 1.3.x, 2.0 View Source Vulnerability in ColdFusion MX and JRun 4.0 on Windows July 8, 2003 July 8, 2003
MPSB03-02: Using Windows NT Authentication and Windows file permissions Jan 30, 2003 Jan 30, 2003
Back to top

ColdFusion MX 6.0
Brief Originally Posted Last Updated
MPSB04-10 The CFOBJECT tag and CreateObject functions should be secured in a shared or untrusted developer environment October 8, 2004 October 8, 2004
MPSB04-09: Cumulative Security Patch available for ColdFusion MX September 23, 2004 September 23, 2004
MPSB04-04: Security Patch available for ColdFusion MX and JRun 4.0 Web Services DoS Mar 15, 2004 Mar 15, 2004
MPSB03-07: Security Patch available for ColdFusion MX and JRun 4.0 Web Services DoS Dec 9, 2003 Dec 10, 2003
MPSB03-06: Security Patch Available for ColdFusion MX/ColdFusion Cross-Site Scripting Vulnerability with Default Error Handlers Sept 18, 2003 Sept 18, 2003
MPSB03-04: Patch for Apache 1.3.x, 2.0 View Source Vulnerability in ColdFusion MX and JRun 4.0 on Windows July 8, 2003 July 8, 2003
MPSB03-02: Using Windows NT Authentication and Windows file permissions Jan 30, 2003 Jan 30, 2003
MPSB03-01: Patch available for ColdFusion MX Enterprise Edition Jan 9, 2003 Jan 9, 2003
MPSB02-13: ColdFusion MX file extension mappings Nov 6, 2002 Nov 6, 2002
MPSB02-07: Patch available to support Apache 2.0.39 with JRun 4.0/ColdFusion MX Jun 27, 2002 Jun 27, 2002
MPSB02-05: Patch Available for Buffer Overflow attack on ColdFusion MX with Microsoft IIS Jun 27, 2002 Jun 27, 2002
MPSB02-04: ColdFusion MX Enterprise Edition's JSP functionality should be disabled in shared, hosted environments Jun 13, 2002 Jun 13, 2002
MPSB02-03: Patch available for default Missing Template page in ColdFusion MX Jun 13, 2002 Jun 13, 2002
Back to top

ColdFusion (previous versions)
Brief Originally Posted Last Updated
MPSB03-06: Security Patch Available for ColdFusion MX/ColdFusion Cross-Site Scripting Vulnerability with Default Error Handlers Sept 18, 2003 Sept 18, 2003
MPSB02-01: Certain DOS reserved filenames may cause ColdFusion to display the physical web root directory when ColdFusion is used with Microsoft IIS May 9, 2002 May 9, 2002
MPSB01-11: The CFEXECUTE tag should be disabled when using ColdFusion Sandbox Security Operating System type) on Windows Nov 27, 2001 Nov 27, 2001
MPSB01-08: Best Practice for Security Issue in Example Applications Released with ColdFusion Server Versions 4.x and Earlier Aug 7, 2001 Aug 7, 2001
MPSB01-07: ColdFusion Security Patch for versions 2.0 through 4.5.1 SP2 Jul 11, 2001 Jul 11, 2001
ASB00-14: Workaround available for Denial of Service attack against ColdFusion Administrator Jun 07, 2000 Jun 07, 2000
ASB00-12: ClusterCATS Appends Stale Query String to URL Line during HTML Redirection May 08, 2000 May 08, 2000
ASB00-03: Patch Available For Potential Information Exposure By The CFCACHE Tag Jan 04, 2000 Jan 04, 2000
ASB99-10: Addressing Potential Security Issues with Undocumented CFML Tags and Functions Used in the ColdFusion Administrator Jul 29, 1999 Sep 29, 1999
ASB99-04: Multiple SQL Statements in Dynamic Queries Feb 04, 1999 Jun 01, 1999
ASB99-07: Solution Available for Denial-of-Service Attack Using CF Admin. Start/Stop Utility May 19, 1999 May 19, 1999
ASB99-08: Pages Encrypted with CFCRYPT.EXE Can Be Illegally Decrypted May 19, 1999 May 19, 1999
ASB99-02: ColdFusion Example Applications and Sample Code Exposes Servers Feb 04, 1999 May 19, 1999
ASB99-01: Expression Evaluator Security Issues Feb 04, 1999 Apr 30, 1999
Back to top

Forums
Brief Originally Posted Last Updated
ASB00-06: Patch Available for Allaire Forums 2.0.5 security issue Apr 03, 2000 Apr 03, 2000
ASB99-05: Allaire Forums Security Issues Mar 30, 1999 Mar 30, 1999
Back to top

JRun 4.0
Brief Originally Posted Last Updated
MPSB04-08: Cumulative Security Patch available for JRun server September 23, 2004 September 23, 2004
MPSB04-04: Security Patch available for ColdFusion MX and JRun 4.0 Web Services DoS Mar 15, 2004 Mar 15, 2004
MPSB03-07: Security Patch available for ColdFusion MX and JRun 4.0 Web Services DoS Dec 9, 2003 Dec 10, 2003
MPSB03-04: Patch for Apache 1.3.x, 2.0 View Source Vulnerability in ColdFusion MX and JRun 4.0 on Windows July 8, 2003 July 8, 2003
MPSB02-12: Cumulative Security Patch available for JRun 3.0, 3.1 and 4.0. Nov 6, 2002 Nov 20, 2002
MPSB02-07: Patch available to support Apache 2.0.39 with JRun 4.0/ColdFusion MX Jun 27, 2002 Jun 27, 2002
MPSB02-06: Cumulative Security Patch available for JRun 3.0, 3.1 and 4.0. Jun 27, 2002 Aug 19, 2002
Back to top

JRun 3.x
Brief Originally Posted Last Updated
MPSB04-08: Cumulative Security Patch available for JRun server September 23, 2004 September 23, 2004
MPSB02-06: Cumulative Security Patch available for JRun 3.0, 3.1 and 4.0. Jun 27, 2002 Aug 19, 2002
MPSB02-02: Patch Available for ISAPI buffer overflow in JRun 3.0/3.1 May 29, 2002 May 29, 2002
MPSB01-18: Patch Available for Unnecessary Appending of jsessionid in URL (URL Rewriting) Dec 06, 2001 Dec 06, 2001
MPSB01-17: Patch Available for File System Traversal Issue with JRun Web Server on Windows platforms Dec 06, 2001 Dec 06, 2001
MPSB01-16: Patch Available for Retrieval of File Content with an HTTP GET under Certain Conditions Dec 06, 2001 Dec 06, 2001
MPSB01-15: Patch Available for Revealing Source Code when Accessing a JSP as myjsp%00 or myjs%2570 via the JWS or IIS Dec 06, 2001 Dec 06, 2001
MPSB01-14: Patch Available for Serving JSP Pages out of the WEB-INF and META-INF Directories Dec 06, 2001 Dec 06, 2001
MPSB01-13: Workaround Addresses Web Server Root Directory Browse Access Nov 27, 2001 Dec 06, 2001
MPSB01-12: Workaround Addresses JRun Server SSIFilter Security Issue Nov 27, 2001 Nov 27, 2001
MPSB01-10: Patch Available for Duplicate Session IDs Issue Nov 27, 2001 Dec 06, 2001
MPSB01-09: (a.k.a. JSP view source vulnerability) Aug 09, 2001 Dec 06, 2001
MPSB01-06: JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting vulnerability (a.k.a. JavaScript code execution vulnerability) Jun 28, 2001 Aug 08, 2001
MPSB01-05: JRun 3.0: Patch available for accessing a restricted directory via web authentication when the case of the directory mapping referenced in the URI is other than what is stored in web.xml Jun 28, 2001 Aug 08, 2001
MPSB01-04: JRun 3.0: Patch available for re-generation of new java, class, et al. files when adding a forward slash to a previously run jsp, and accessing it through a browser Jun 28, 2001 Aug 08, 2001
MPSB01-03: JRun 3.1, 3.0, 2.3.3: Patch available for ability to view jsp source code when replacing the "p" in "jsp" with "%70" in the URI Jun 28, 2001 Aug 08, 2001
ASB01-02: JRun 3.0: Patch available for JRun malformed URI WEB-INF directory information and web.xml file retrieval issue Jan 24, 2001 Jan 24, 2001
ASB00-30: JRun 3.0: Patch available for "multiple .'s denial of service" issue Oct 31, 2000 Oct 31, 2000
ASB00-27: JRun 3.0: Patch available for "extra leading slash" security issue Oct 23, 2000 Oct 23, 2000
ASB00-18: Patch available for JRun 3.0 EJB property disclosure issue Aug 09, 2000 Aug 09, 2000
Back to top

JRun 2.x
Brief Originally Posted Last Updated
MPSB01-06: JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting vulnerability (a.k.a. JavaScript code execution vulnerability) Jun 28, 2001 Aug 08, 2001
MPSB01-03: JRun 3.1, 3.0, 2.3.3: Patch available for ability to view jsp source code when replacing the "p" in "jsp" with "%70" in the URI Jun 28, 2001 Aug 08, 2001
ASB00-28: JRun 2.3.3: Patch available for "non-webroot requests" security issue Oct 23, 2000 Oct 23, 2000
ASB00-29: JRun 2.3.3: Patch available for "JSP execution of arbitrary file" security issue Oct 23, 2000 Oct 23, 2000
ASB00-19: Patch available for JRun trailing character JSP source code disclosure issue Aug 09, 2000 Aug 09, 2000
ASB00-15: Workaround available for vulnerabilities exposed by JRun 2.3.x code samples Jun 22, 2000 Jun 22, 2000
Back to top

Macromedia Spectra
Brief Originally Posted Last Updated
ASB00-23: Spectra 1.0.1: Workaround available for administrative interface security issue Aug 30, 2000 Aug 30, 2000
ASB00-10: Patch Available for Spectra Container Editor Preview Object Security Issue Apr 24, 2000 Apr 24, 2000
ASB00-04: Patch Available for Allaire Spectra 1.0 Security Authentication System Jan 31, 2000 Jan 31, 2000
ASB00-01: Enhancing Authenticated Webtop User Security in Allaire Spectra 1.0 Jan 04, 2000 Jan 04, 2000
ASB00-02: Addressing Potential Denial Of Service Problem With Installation Files In Allaire Spectra 1.0 Jan 04, 2000 Jan 04, 2000
Back to top

Last Updated: February 21, 2006
Issues sorted by Product and Version
APSB - Adobe Product Security Bulletins since January 2006
MPSB - Macromedia Product Security Bulletins between April 2001 and December 2005
ASB - Allaire Security Bulletins before April 2001
CSB - Customer Security Bulletins from other vendors