Security updates available for Adobe Experience Manager | APSB20-56
Bulletin ID Date Published Priority
APSB20-56 
September 8, 2020 
2

Summary

Adobe has released updates for Adobe Experience Manager (AEM) and the AEM Forms add-on package. These updates resolve vulnerabilities rated Critical and Important.  Successful exploitation of these vulnerabilities could result in arbitrary JavaScript execution in the browser.

Affected product versions

Product Version Platform
Adobe Experience Manager
6.5.5.0 and earlier versions 
All
6.4.8.1 and earlier versions 
All 
6.3.3.8 and earlier versions 
All 
6.2 SP1-CFP20 and earlier versions 
All 
AEM Forms add-on 
AEM Forms Service Pack 5 add-on package for AEM 6.5.5.0 
All 
AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 1 (6.4.8.1)
All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product

Version

Platform

Priority

Availability

 

Adobe Experience Manager (AEM) 

6.5.6.0 

All

2

AEM 6.5 Service Pack Release Notes   

6.4.8.2 

All

2

AEM 6.4 Cumulative Fix Pack Release Notes  

AEM Forms add-on
AEM Forms Service Pack 6 add-on package for AEM 6.5.6.0 
All
2
AEM Forms Releases 
AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2)
All 2

Note:

Adobe Experience Manager 6.5.6.0 is an important update that includes new features, key customer requested enhancements, and performance, stability, and security improvements released since the general availability of 6.5 release in April 2019.  It can be installed on top of Adobe Experience Manager 6.5.

Note:

AEM Cumulative Fix Pack 6.4.8.2 is an important update that includes several internal and customer fixes since the general availability of AEM 6.4 Service Pack 8 (6.4.8.0) in March 2020. AEM Cumulative Fix Pack 6.4.8.2 is dependent on AEM 6.4 Service Pack 8. Therefore, you must install the AEM Cumulative Fix Pack 6.4.8.2 package after installing AEM 6.4 Service Pack 8.

Note:

Please contact Adobe customer care for assistance with AEM versions 6.3 and 6.2.

Vulnerability details

Vulnerability Category

Vulnerability Impact

Severity

CVE Number 

Affected Versions
Cross-site scripting (stored)
Arbitrary JavaScript execution in the browser
Critical
CVE-2020-9732

AEM Forms Service Pack 5 add-on package for AEM 6.5.5.0

AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 1 (6.4.8.1)

Execution with Unnecessary Privileges
Sensitive Information Disclosure Important
CVE-2020-9733

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

Cross-site scripting (stored)
Arbitrary JavaScript execution in the browser
Critical
CVE-2020-9734

AEM Forms Service Pack 5 add-on package for AEM 6.5.5.0

AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 1 (6.4.8.1)

Cross-site scripting (stored)
Arbitrary JavaScript execution in the browser
Important
CVE-2020-9735

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

Cross-site scripting (stored)
Arbitrary JavaScript execution in the browser
Important
CVE-2020-9736

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

Cross-site scripting (stored)
Arbitrary JavaScript execution in the browser
Important
CVE-2020-9737

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

Cross-site scripting (stored)
Arbitrary JavaScript execution in the browser
Important

CVE-2020-9738

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

Cross-site scripting (stored)
Arbitrary JavaScript execution in the browser
Critical
CVE-2020-9740

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

Cross-site scripting (stored)
Arbitrary JavaScript execution in the browser
Critical
CVE-2020-9741

AEM Forms Service Pack 5 add-on package for AEM 6.5.5.0

AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 1 (6.4.8.1)

Cross-site scripting (reflected)
Arbitrary JavaScript execution in the browser
Critical
CVE-2020-9742

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

HTML injection
Arbitrary HTML injection in the browser
Important
CVE-2020-9743

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

Updates to dependencies

Dependency
Vulnerability Impact
Affected Versions
Handlebars.js
Arbitrary JavaScript execution in the browser

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

Lodash.js (removed from AEM)
Prototype pollution

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

Log4j
Deserialization of untrusted data

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

Dom4j
XXE (Xml eXternal Entity) injection

AEM 6.5.5.0 and earlier

AEM 6.4.8.1 and earlier

AEM 6.3.3.8 and earlier

AEM 6.2 SP1-CFP20 and earlier

Revisions

September 9, 2020: Added more precise versioning information for the AEM Forms versions affected by the CVEs referenced in the bulletin.