Bulletin ID
Security updates available for Adobe Experience Manager | APSB22-59
|  | Date Published | Priority | 
|---|---|---|
| APSB22-59 | December 13, 2022  | 3 | 
Summary
Affected product versions
| Product | Version | Platform | 
|---|---|---|
| Adobe Experience Manager (AEM) | AEM Cloud Service (CS) | All | 
| 6.5.14.0 and earlier versions | All | 
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
| Product | Version | Platform | Priority | Availability | 
|---|---|---|---|---|
| Adobe Experience Manager (AEM) | AEM Cloud Service Release 2022.10.0 | All | 3 | Release Notes | 
| 6.5.15.0 | All | 3 | AEM 6.5 Service Pack Release Notes | 
Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.
Please contact Adobe customer care for assistance with AEM versions 6.4, 6.3 and 6.2.
Vulnerability details
| Vulnerability Category | Vulnerability Impact | Severity | CVSS base score  | CVE Number  | |
|---|---|---|---|---|---|
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-42345 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-42346 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-30679 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-42348 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-42349 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-42350 | 
| Improper Access Control (CWE-284) | Security feature bypass | Moderate | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | CVE-2022-42351 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-42352 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-35693 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-42354 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N | CVE-2022-35694 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-42356 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-42357 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-35695 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N | CVE-2022-35696 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-42360 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-42362 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-42364 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-42365 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N | CVE-2022-42366 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-42367 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-44462 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-44463 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 
 | CVE-2022-44465 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-44466 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-44467 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-44468 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-44469 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-44470 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-44471 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-44473 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-44474 | 
| URL Redirection to Untrusted Site ('Open Redirect') (CWE-601) | Security feature bypass | Moderate | 3.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N | CVE-2022-44488 | 
| Cross-site Scripting (Reflected XSS) (CWE-79) | Arbitrary code execution | Important | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2022-44510 | 
Updates to dependencies
| Dependency | Vulnerability Impact | Affected Versions | 
| xmlgraphics | Privilege escalation | AEM CS AEM 6.5.9.0 and earlier | 
| ionetty | Privilege escalation | AEM CS AEM 6.5.9.0 and earlier | 
Acknowledgments
Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:
- Jim Green (green-jam) --CVE-2022-42345; CVE-2022-30679; CVE-2022-42348; CVE-2022-42349; CVE-2022-42350; CVE-2022-42351; CVE-2022-42352; CVE-2022-35693; CVE-2022-42354; CVE-2022-35694; CVE-2022-42356; CVE-2022-42357; CVE-2022-35695; CVE-2022-35696; CVE-2022-42360; CVE-2022-42362; CVE-2022-42364; CVE-2022-42365; CVE-2022-42366; CVE-2022-42367; CVE-2022-44462; CVE-2022-44463; CVE-2022-44465; CVE-2022-44466; CVE-2022-44467; CVE-2022-44468; CVE-2022-44469; CVE-2022-44470; CVE-2022-44471; CVE-2022-44473; CVE-2022-44474; CVE-2022-44488, CVE-2022-44510
 
Revisions
December 14th, 2021: Updated acknowledgment for CVE-2021-43762
December 16, 2021: Corrected priority level of bulletin to 2
December 29, 2021: Updated acknowledgement for CVE-2021-40722
September 30, 2022: Added CVE-2022-28851
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.