Release date: December 13, 2016
Last updated: December 14, 2016
Vulnerability identifier: APSB16-42
CVE number: CVE-2016-7882, CVE-2016-7883, CVE-2016-7884, CVE-2016-7885
Adobe has released security updates for Adobe Experience Manager. These updates resolve three important input validation issues that could be used in cross-site scripting attacks (CVE-2016-7882, CVE-2016-7883 and CVE-2016-7884), and include an update to protect users from an important Cross-Site Request Forgery vulnerability (CVE-2016-7885).
|Adobe Experience Manager||6.1||2||Release note|
Please contact Adobe customer care for assistance with earlier AEM versions.
|Description||CVE||Affected Versions||Download Package|
Updates resolve an important input validation issue in WCMDebug filter that could be used in cross-site scripting attacks.
||6.2 and earlier versions||Hotfix 12444 for 6.2
Hotfix 12444 for 6.1 SP2 
Hotfix 12444 for 6.0 SP3
Updates resolve an important input validation issue in create launch Wizard that could be used in cross-site scripting attacks.
||6.2||Hotfix 13062 for 6.2
Updates resolve an important input validation issue in DAM create assets that could be used in cross-site scripting attacks.
||6.1 and earlier versions||Cumulative Fix pack for 6.1 SP2
Hotfix 13297 for 6.0 SP3
Updates in the Jackrabbit component to protect users from Cross-Site Request Forgery.
|CVE-2016-7885||6.2 and earlier versions||Hotfix 13547 for 6.2
Hotfix 12817 for 6.1
Hotfix 12846 for 6.0
Adobe would like to thank Daniel Hamid for reporting CVE-2016-7882 and for working with Adobe to help protect our customers. CVE-2016-7883, CVE-2016-7884 and CVE-2016-7885 were anonymously reported.