Security updates available for Adobe Experience Manager | APSB20-01
Bulletin ID Date Published Priority
APSB20-01 January 14, 2020 2

Summary

Adobe has released security updates for Adobe Experience Manager (AEM). These updates resolve multiple vulnerabilities in AEM versions 6.5 and below rated Important and Moderate.  Successful exploitation could result in sensitive information disclosure.

Affected product versions

Product Version Platform
Adobe Experience Manager

6.5

6.4

6.3

6.2

6.1

6.0

All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product

Version

Platform

Priority

Availability

 

Adobe Experience Manager

6.5

All

2

Releases and Updates

6.4

All

2

Releases and Updates

6.3

All

2

Releases and Updates

Please contact Adobe customer care for assistance with earlier AEM versions.

Vulnerability details

Vulnerability Category

Vulnerability Impact

Severity

CVE Number 

Affected Versions Download Package
Cross-Site Script Inclusion

Sensitive Information disclosure

 

Important CVE-2019-16466

AEM 6.3

AEM 6.4

AEM 6.5

Cumulative Fix Pack 6.3.3.7

Service Pack 6.4.7.0

Service Pack 6.5.3.0

Reflected Cross-Site Scripting Sensitive Information disclosure Important CVE-2019-16467

AEM 6.3

AEM 6.4 

AEM 6.5

Cumulative Fix Pack 6.3.3.7

Service Pack 6.4.7.0

Service Pack 6.5.3.0

User Interface Injection

 

 

Sensitive Information Disclosure

 

 

Moderate

 

 

CVE-2019-16468

 

 

AEM 6.3

AEM 6.4

AEM 6.5 

Cumulative Fix Pack 6.3.3.7

Service Pack 6.4.7.0

Service Pack 6.5.3.0

Expression Language injection Sensitive Information Disclosure Important CVE-2019-16469 AEM 6.5 Service Pack 6.5.3.0    

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:     

Revisions

January 16, 2020: Modified the vulnerability category of CVE-2019-16466 from "Reflected Cross-Site Scripting" to "Cross-Site script inclusion".