Bulletin ID
Last updated on
Security updates available for Adobe Experience Manager | APSB19-38
|
|
Date Published |
Priority |
|---|---|---|
|
APSB19-38 |
July 09, 2019 |
2 |
Summary
Adobe has released security updates for Adobe Experience Manager. These updates resolve one reflected cross-site scripting vulnerability rated Moderate, one stored cross-site scripting vulnerability rated Important and one cross-site request forgery vulnerability rated Important that could result in sensitive information disclosure.
Affected product versions
|
Product |
Version |
Platform |
|---|---|---|
|
Adobe Experience Manager |
6.4 6.3 6.2 6.1 6.0 |
All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
Product |
Version |
Platform |
Priority |
Availability |
|---|---|---|---|---|
Adobe Experience Manager |
6.5 |
All |
2 |
|
6.4 |
All |
2 |
||
6.3 |
All |
2 |
Please contact Adobe customer care for assistance with earlier AEM versions.
Vulnerability details
|
Vulnerability Category |
Vulnerability Impact |
Severity |
CVE Numbers |
Affected Version |
Download Package |
|---|---|---|---|---|---|
|
Cross-Site Request Forgery |
Sensitive Information disclosure
|
Important
|
CVE-2019-7953 |
AEM 6.0 AEM 6.1 AEM 6.2 AEM 6.3 AEM 6.4 |
|
|
Stored Cross-site Scripting |
Sensitive Information disclosure |
Important |
CVE-2019-7954 |
AEM 6.2 AEM 6.3 AEM 6.4 AEM 6.5 |
|
|
Reflected Cross-site Scripting |
Sensitive Information disclosure |
Moderate
|
CVE-2019-7955 |
AEM 6.2 AEM 6.3 AEM 6.4 AEM 6.5
|
Updates to Dependencies
| CVE | Dependency |
Vulnerability Impact |
Affected Versions |
| CVE-2020-11022 |
jQuery |
Arbitrary code execution |
6.5.7.0 and earlier |
| CVE-2020-11023 |
jQuery |
Arbitrary code execution |
6.5.7.0 and earlier |
Note:
Note: the packages listed in the table above are the minimum fix packs to address the relevant vulnerability. For the latest versions, please see the release notes links referenced above.
Note: If you are running the AEM version earlier than AEM 6.3 and need assistance, please contact Adobe Customer Care.
Acknowledgments
Adobe would like to thank Lorenzo Pirondini from Netcentric, a Cognizant Digital Business for reporting (CVE-2019-7955) and for working with Adobe to help protect our customers.
Revisions
July 11, 2023 - Updates to Dependencies revised.
August 9, 2017: The summary section incorrectly classified CVE-2017-3108 as Moderate. CVE-2017-3108 is rated Important, as noted in the Vulnerability Details table, and the summary section has been corrected.