Product
Security updates available for Adobe Experience Manager
Release date: December 13, 2016
Last updated: December 14, 2016
Vulnerability identifier: APSB16-42
Priority: 2
CVE number: CVE-2016-7882, CVE-2016-7883, CVE-2016-7884, CVE-2016-7885
Platform: All
Summary
Adobe has released security updates for Adobe Experience Manager. These updates resolve three important input validation issues that could be used in cross-site scripting attacks (CVE-2016-7882, CVE-2016-7883 and CVE-2016-7884), and include an update to protect users from an important Cross-Site Request Forgery vulnerability (CVE-2016-7885).
Affected Versions
|
Affected Versions |
Platform |
|
6.2 |
All |
Adobe Experience Manager |
6.1 |
All |
|
6.0 |
All |
Solution
Versions |
Priority rating |
Availability |
|
|
6.2 |
2 |
|
Adobe Experience Manager |
6.1 |
2 |
|
|
6.0 |
2 |
Please contact Adobe customer care for assistance with earlier AEM versions.
Vulnerability Details
Description |
CVE |
Affected Versions |
Download Package |
Updates resolve an important input validation issue in WCMDebug filter that could be used in cross-site scripting attacks. |
CVE-2016-7882 |
6.2 and earlier versions |
|
Updates resolve an important input validation issue in create launch Wizard that could be used in cross-site scripting attacks. |
CVE-2016-7883 |
6.2 |
|
Updates resolve an important input validation issue in DAM create assets that could be used in cross-site scripting attacks. |
CVE-2016-7884 |
6.1 and earlier versions |
|
Updates in the Jackrabbit component to protect users from Cross-Site Request Forgery. |
CVE-2016-7885 |
6.2 and earlier versions |
[0] Note: Hotfix 12444 for 6.1 SP2 is included in AEM 6.1 SP2 CFP2.
Acknowledgments
Adobe would like to thank Daniel Hamid for reporting CVE-2016-7882 and for working with Adobe to help protect our customers. CVE-2016-7883, CVE-2016-7884 and CVE-2016-7885 were anonymously reported.
Revisions
December 14, 2016: modified the impacted platforms to All (previously stated Windows, Unix, Linux and OS X). Also included a note to clarify that Hotfix 12444 was previously included with AEM 6.1 SP2 CFP2.