The vulnerability is caused due to the sites/all/modules/dragdrop_gallery/upload.php script improperly validating uploaded files, which can be exploited to execute arbitrary PHP code by uploading a PHP file with e.g. an appended ".gif" file extension.
The vulnerabilities can be exploited by malicious people to conduct cross-site scripting attacks, disclose potentially sensitive information, bypass certain security restrictions, and compromise a user's system..
On Intel CPUs, the sysret instruction can be manipulated into returning to specific non-canonical addresses, which may yield a CPU reset. We cannot currently rule out with utter confidence that this vulnerability could not also be used to execute code with kernel privilege instead of crashing the system.
The Critical Patch Update for Java SE also includes non-security fixes. Critical Patch Updates are cumulative and each advisory describes only the security fixes added since the previous Critical Patch Update. Thus, prior Critical Patch Update Advisories should be reviewed for information regarding earlier accumulated security fixes.
This Critical Patch Update contains 14 new security fixes across Java SE products.
Adobe released security updates for Adobe Flash Player 126.96.36.199 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 188.8.131.52 and earlier versions for Android 4.x, and Adobe Flash Player 184.108.40.206 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.