Adobe Security Bulletin

Security updates available for Adobe Experience Manager | APSB20-56

Bulletin ID

Date Published

Priority

APSB20-56 

September 8, 2020 

2

Summary

Adobe has released updates for Adobe Experience Manager (AEM) and the AEM Forms add-on package. These updates resolve vulnerabilities rated Critical and Important.  Successful exploitation of these vulnerabilities could result in arbitrary JavaScript execution in the browser.

Affected product versions

Product Version Platform
Adobe Experience Manager
6.5.5.0 and earlier versions 
All
6.4.8.1 and earlier versions 
All 
6.3.3.8 and earlier versions 
All 
6.2 SP1-CFP20 and earlier versions 
All 
AEM Forms add-on 
AEM Forms Service Pack 5 and earlier versions 
All 

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product

Version

Platform

Priority

Availability

 

Adobe Experience Manager (AEM) 

6.5.6.0 

All

2

AEM 6.5 Service Pack Release Notes   

6.4.8.2 

All

2

AEM 6.4 Cumulative Fix Pack Release Notes  

AEM Forms add-on
AEM Forms Service Pack 6
All
2
AEM Forms Releases 
Note:

Adobe Experience Manager 6.5.6.0 is an important update that includes new features, key customer requested enhancements, and performance, stability, and security improvements released since the general availability of 6.5 release in April 2019.  It can be installed on top of Adobe Experience Manager 6.5.

Note:

AEM Cumulative Fix Pack 6.4.8.2 is an important update that includes several internal and customer fixes since the general availability of AEM 6.4 Service Pack 8 (6.4.8.0) in March 2020. AEM Cumulative Fix Pack 6.4.8.2 is dependent on AEM 6.4 Service Pack 8. Therefore, you must install the AEM Cumulative Fix Pack 6.4.8.2 package after installing AEM 6.4 Service Pack 8.

Note:

Please contact Adobe customer care for assistance with AEM versions 6.3 and 6.2.

Vulnerability details

Vulnerability Category

Vulnerability Impact

Severity

CVE Number 

Affected Versions
Cross-site scripting (stored)
Arbitrary JavaScript execution in the browser
Critical
CVE-2020-9732

AEM Forms SP5 and earlier

Execution with Unnecessary Privileges
Sensitive Information Disclosure Important
CVE-2020-9733

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

Cross-site scripting (stored)
Arbitrary JavaScript execution in the browser
Critical
CVE-2020-9734
AEM Forms SP5 and earlier
Cross-site scripting (stored)
Arbitrary JavaScript execution in the browser
Important
CVE-2020-9735

AAEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

Cross-site scripting (stored)
Arbitrary JavaScript execution in the browser
Important
CVE-2020-9736

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

Cross-site scripting (stored)
Arbitrary JavaScript execution in the browser
Important
CVE-2020-9737

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

Cross-site scripting (stored)
Arbitrary JavaScript execution in the browser
Important

CVE-2020-9738

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

Cross-site scripting (stored)
Arbitrary JavaScript execution in the browser
Critical
CVE-2020-9740

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

Cross-site scripting (stored)
Arbitrary JavaScript execution in the browser
Critical
CVE-2020-9741
AEM Forms SP5 and earlier
Cross-site scripting (reflected)
Arbitrary JavaScript execution in the browser
Critical
CVE-2020-9742

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

HTML injection
Arbitrary HTML injection in the browser
Important
CVE-2020-9743

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

Updates to dependencies

Dependency

Vulnerability Impact

Affected Versions

Handlebars.js

Arbitrary JavaScript execution in the browser

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

Lodash.js (removed from AEM)

Prototype pollution

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

Log4j

Deserialization of untrusted data

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

Dom4j

XXE (Xml eXternal Entity) injection

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online