Bulletin ID
Last updated on
Security updates available for Adobe Experience Manager | APSB20-56
|
|
Date Published |
Priority |
|---|---|---|
|
APSB20-56 |
September 8, 2020 |
2 |
Summary
Affected product versions
| Product | Version | Platform |
|---|---|---|
| Adobe Experience Manager |
6.5.5.0 and earlier versions |
All |
| 6.4.8.1 and earlier versions |
All |
|
| 6.3.3.8 and earlier versions |
All |
|
| 6.2 SP1-CFP20 and earlier versions |
All |
|
| AEM Forms add-on |
AEM Forms Service Pack 5 add-on package for AEM 6.5.5.0 |
All |
| AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 1 (6.4.8.1) |
All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
Product |
Version |
Platform |
Priority |
Availability |
|---|---|---|---|---|
Adobe Experience Manager (AEM) |
6.5.6.0 |
All |
2 |
AEM 6.5 Service Pack Release Notes |
6.4.8.2 |
All |
2 |
||
| AEM Forms add-on |
AEM Forms Service Pack 6 add-on package for AEM 6.5.6.0 |
All |
2 |
AEM Forms Releases |
| AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2) |
All | 2 |
Note:
Adobe Experience Manager 6.5.6.0 is an important update that includes new features, key customer requested enhancements, and performance, stability, and security improvements released since the general availability of 6.5 release in April 2019. It can be installed on top of Adobe Experience Manager 6.5.
Note:
AEM Cumulative Fix Pack 6.4.8.2 is an important update that includes several internal and customer fixes since the general availability of AEM 6.4 Service Pack 8 (6.4.8.0) in March 2020. AEM Cumulative Fix Pack 6.4.8.2 is dependent on AEM 6.4 Service Pack 8. Therefore, you must install the AEM Cumulative Fix Pack 6.4.8.2 package after installing AEM 6.4 Service Pack 8.
Note:
Please contact Adobe customer care for assistance with AEM versions 6.3 and 6.2.
Vulnerability details
| Vulnerability Category |
Vulnerability Impact |
Severity |
CVE Number |
Affected Versions |
|---|---|---|---|---|
| Cross-site scripting (stored) |
Arbitrary JavaScript execution in the browser |
Critical |
CVE-2020-9732 | AEM Forms Service Pack 5 add-on package for AEM 6.5.5.0 AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 1 (6.4.8.1) |
| Execution with Unnecessary Privileges |
Sensitive Information Disclosure | Important |
CVE-2020-9733 |
AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier |
| Cross-site scripting (stored) |
Arbitrary JavaScript execution in the browser |
Critical |
CVE-2020-9734 |
AEM Forms Service Pack 5 add-on package for AEM 6.5.5.0 AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 1 (6.4.8.1) |
| Cross-site scripting (stored) |
Arbitrary JavaScript execution in the browser |
Important |
CVE-2020-9735 |
AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier |
| Cross-site scripting (stored) |
Arbitrary JavaScript execution in the browser |
Important |
CVE-2020-9736 |
AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier |
| Cross-site scripting (stored) |
Arbitrary JavaScript execution in the browser |
Important |
CVE-2020-9737 |
AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier |
| Cross-site scripting (stored) |
Arbitrary JavaScript execution in the browser |
Important |
CVE-2020-9738 |
AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier |
| Cross-site scripting (stored) |
Arbitrary JavaScript execution in the browser |
Critical |
CVE-2020-9740 |
AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier |
| Cross-site scripting (stored) |
Arbitrary JavaScript execution in the browser |
Critical |
CVE-2020-9741 |
AEM Forms Service Pack 5 add-on package for AEM 6.5.5.0 AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 1 (6.4.8.1) |
| Cross-site scripting (reflected) |
Arbitrary JavaScript execution in the browser |
Critical |
CVE-2020-9742 |
AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier |
| HTML injection |
Arbitrary HTML injection in the browser |
Important |
CVE-2020-9743 |
AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier |
Updates to dependencies
|
Dependency |
Vulnerability Impact |
Affected Versions |
|
Handlebars.js |
Arbitrary JavaScript execution in the browser |
AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier |
|
Lodash.js (removed from AEM) |
Prototype pollution |
AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier |
|
Log4j |
Deserialization of untrusted data |
AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier |
|
Dom4j |
XXE (Xml eXternal Entity) injection |
AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier |
Revisions
September 9, 2020: Added more precise versioning information for the AEM Forms versions affected by the CVEs referenced in the bulletin.