Bulletin ID
Last updated on
Security updates available for Adobe Experience Manager | APSB24-05
|
|
Date Published |
Priority |
|---|---|---|
|
APSB24-05 |
March 12, 2024 |
3 |
Summary
Affected product versions
| Product | Version | Platform |
|---|---|---|
| Adobe Experience Manager (AEM) |
AEM Cloud Service (CS) |
All |
| 6.5.19.0 and earlier versions |
All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
Product |
Version |
Platform |
Priority |
Availability |
|---|---|---|---|---|
| Adobe Experience Manager (AEM) |
AEM Cloud Service Release 2024.03 |
All | 3 | Release Notes |
| 6.5.20.0 | All |
3 |
AEM 6.5 Service Pack Release Notes |
Note:
Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.
Note:
Experience Manager Security Considerations:
AEM as a Cloud Service Security Considerations
Anonymous Permission Hardening Package
Note:
Please contact Adobe customer care for assistance with AEM versions 6.4, 6.3 and 6.2.
Vulnerability Details
| Vulnerability Category |
Vulnerability Impact |
Severity |
CVSS base score |
CVSS vector |
CVE Number |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26028 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26030 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26031 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26032 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26033 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26034 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26035 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26038 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26040 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26041 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26042 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26043 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26044 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26045 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 4.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N | CVE-2024-26050 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26052 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26056 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26059 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26061 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26062 |
| Information Exposure (CWE-200) | Security feature bypass | Important | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | CVE-2024-26063 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26064 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26065 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26067 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26069 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26073 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26080 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26094 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26096 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26102 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26103 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26104 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26105 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26106 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26107 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26118 |
| Improper Access Control (CWE-284) | Security feature bypass | Important | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | CVE-2024-26119 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26120 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26124 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26125 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-20760 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-20768 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE-2024-20799 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE-2024-20800 |
| Improper Input Validation (CWE-20) | Security feature bypass | Moderate | 3.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N | CVE-2024-26126 |
| Improper Input Validation (CWE-20) | Security feature bypass | Moderate | 3.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N | CVE-2024-26127 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution | Moderate | 3.4 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N | CVE-2024-26051 |
Note:
If a customer is using Apache httpd in a proxy with a non-default configuration, they may be impacted by CVE-2023-25690 - please read more here: https://httpd.apache.org/security/vulnerabilities_24.html
Acknowledgments
Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:
- Lorenzo Pirondini -- CVE-2024-26028, CVE-2024-26032, CVE-2024-26033, CVE-2024-26034, CVE-2024-26035, CVE-2024-26038, CVE-2024-26040, CVE-2024-26041, CVE-2024-26042, CVE-2024-26043, CVE-2024-26044, CVE-2024-26045, CVE-2024-26052, CVE-2024-26059, CVE-2024-26064, CVE-2024-26065, CVE-2024-26073, CVE-2024-26080, CVE-2024-26124, CVE-2024-26125, CVE-2024-20768, CVE-2024-20800
- Jim Green (green-jam) -- CVE-2024-26030, CVE-2024-26031, CVE-2024-26056, CVE-2024-26061, CVE-2024-26062, CVE-2024-26067, CVE-2024-26069, CVE-2024-26094, CVE-2024-26096, CVE-2024-26101, CVE-2024-26102, CVE-2024-26103, CVE-2024-26104, CVE-2024-26105, CVE-2024-26106, CVE-2024-26107, CVE-2024-26118, CVE-2024-26119, CVE-2024-26120, CVE-2024-20760, CVE-2024-20799
- Akshay Sharma (anonymous_blackzero) -- CVE-2024-26050, CVE-2024-26051
NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.
Revisions
April 3, 2024 - Added CVE-2024-20800
Aptil 1, 2024 - Added CVE-2024-20799
March 18, 2024 - Removed CVE-2024-26048
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.