Adobe Security Bulletin

Security hotfixes available for Adobe Experience Manager

Release date: August 9, 2016

Vulnerability identifier: APSB16-27

Priority: 2

CVE number: CVE-2016-4168, CVE-2016-4169, CVE-2016-4170, CVE-2016-4253

Platform: Windows, Unix, Linux and OS X

Summary

Adobe has released security hotfixes for Adobe Experience Manager. These hotfixes resolve two important input validation issues that could be used in cross-site scripting attacks (CVE-2016-4168 and CVE-2016-4170), an important vulnerability in backup functionality that could lead to information disclosure (CVE-2016-4253), and an important vulnerability that could disclose audit log events to unprivileged users (CVE-2016-4169).

Affected Versions

Product

Affected Versions

Platform

 

6.2

Windows, Unix, Linux and OS X

Adobe Experience Manager

6.1

Windows, Unix, Linux and OS X

 

6.0

Windows, Unix, Linux and OS X

 

5.6.1

Windows, Unix, Linux and OS X

Solution

Adobe recommends customers with on-premise deployments install the available hotfixes referenced below. Furthermore, customers should review and implement the steps outlined in the Security Checklists for versions 6.26.16.0 or 5.6.1.

Product

Versions

Priority rating

Availability

 

6.2

2

Hotfixes (6.2)

Adobe Experience Manager

6.1

2

Hotfixes (6.1)

 

6.0

2

Hotfixes (6.0)

 

5.6.1

2

Hotfixes (5.6.1)

Please visit the Adobe Experience Manager Help Page for more information on available hotfixes.  

Vulnerability Details

Description

CVE

Affected Versions

Download Package

Hotfixes resolve an input validation issue that could be used in cross-site scripting attacks.

CVE-2016-4168

6.1 and earlier versions

Hotfixes resolve a vulnerability that could potentially disclose audit log events to unprivileged users.

CVE-2016-4169

6.2, 6.1 and 6.0

Hotfixes resolve an input validation issue that could be used in cross-site scripting attacks.

CVE-2016-4170

6.2 and earlier versions

Hotfixes resolve a vulnerability in Backup functionality that could lead to information disclosure.

CVE-2016-4253

6.2 and earlier versions

Acknowledgments

Adobe would like to thank the following individuals for reporting these issues and for working with Adobe to help protect our customers:

  • Adam Willard of Raytheon Foreground Security (CVE-2016-4168)
  • Ninad Sarang (@hbkninad) (CVE-2016-4169)
  • Franz Saller (CVE-2016-4170)
  • Kyle Lovett (CVE-2016-4253)

Adobe, Inc.

Get help faster and easier

New user?