Adobe Systems today issued patched updates for Acrobat and Reader, Flash Player, Experience Manager, and the Cloud Desktop Application, collectively fixing 11 vulnerabilities, two of them critical.

The two most serious bugs, both of which can result in arbitrary code execution, were discovered in multiple versions of Acrobat and Reader for Windows and macOS. The first is an out-of-bounds write (CVE-2018-12808) discovered by Cybellum Technologies LTD, and the second is an untrusted pointer dereference (CVE-2018-12799), reported by Abdul Aziz Hariri via Trend Micro’s Zero-Day Initiative.

Five bugs deemed “important” were found in Flash Player Desktop Runtime (multiple platforms), Flash Player for Google Chrome, and Flash Player for Microsoft Edge and Internet Explorer 11. Three of them are three out-of-bounds reads that can lead to information disclosure (CVE-2018-12824, 12826, 12827), while the two others are a security mitigation bypass (CVE-2018-12825) and privilege escalation (CVE-2018-12828) caused by use of a vulnerable component.

One other important issue was spotted in the Creative Cloud Desktop Application installer for Windows — a privilege escalation vulnerability resulting from insuring library loading (CVE-2018-5003).

And finally, Adobe disclosed that Experience Manager versions 6.0 – 6.4 (all platforms) possess three moderate flaws — a cross-site scripting (CVE-2018-5005) and a reflected cross-site scripting (CVE-2018-12806) that both can trigger sensitive information disclosure, and an input validation bypass (CVE-2018-12807) that can cause unauthorized information modification.

Adobe is unaware of any exploits in the wild leveraging any of these flaws.