Bulletin ID
Security updates available for Adobe Experience Manager | APSB20-56
|  | Date Published | Priority | 
|---|---|---|
| APSB20-56  | September 8, 2020  | 2 | 
Summary
Affected product versions
| Product | Version | Platform | 
|---|---|---|
| Adobe Experience Manager | 6.5.5.0 and earlier versions | All | 
| 6.4.8.1 and earlier versions | All | |
| 6.3.3.8 and earlier versions | All | |
| 6.2 SP1-CFP20 and earlier versions | All | |
| AEM Forms add-on | AEM Forms Service Pack 5 and earlier versions | All | 
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
| Product | Version | Platform | Priority | Availability | 
|---|---|---|---|---|
| 
 Adobe Experience Manager (AEM)  | 6.5.6.0  | All | 2 | AEM 6.5 Service Pack Release Notes | 
| 6.4.8.2  | All | 2 | ||
| AEM Forms add-on | AEM Forms Service Pack 6 | All | 2 | AEM Forms Releases | 
Adobe Experience Manager 6.5.6.0 is an important update that includes new features, key customer requested enhancements, and performance, stability, and security improvements released since the general availability of 6.5 release in April 2019. It can be installed on top of Adobe Experience Manager 6.5.
AEM Cumulative Fix Pack 6.4.8.2 is an important update that includes several internal and customer fixes since the general availability of AEM 6.4 Service Pack 8 (6.4.8.0) in March 2020. AEM Cumulative Fix Pack 6.4.8.2 is dependent on AEM 6.4 Service Pack 8. Therefore, you must install the AEM Cumulative Fix Pack 6.4.8.2 package after installing AEM 6.4 Service Pack 8.
Please contact Adobe customer care for assistance with AEM versions 6.3 and 6.2.
Vulnerability details
| Vulnerability Category | Vulnerability Impact | Severity | CVE Number | Affected Versions | 
|---|---|---|---|---|
| Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Critical | CVE-2020-9732 | AEM Forms SP5 and earlier | 
| Execution with Unnecessary Privileges | Sensitive Information Disclosure | Important | CVE-2020-9733 | AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier | 
| Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Critical | CVE-2020-9734 | AEM Forms SP5 and earlier | 
| Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Important | CVE-2020-9735 | AAEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier | 
| Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Important | CVE-2020-9736 | AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier | 
| Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Important | CVE-2020-9737 | AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier | 
| Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Important | CVE-2020-9738 | AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier | 
| Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Critical | CVE-2020-9740 | AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier | 
| Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Critical | CVE-2020-9741 | AEM Forms SP5 and earlier | 
| Cross-site scripting (reflected) | Arbitrary JavaScript execution in the browser | Critical | CVE-2020-9742 | AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier | 
| HTML injection | Arbitrary HTML injection in the browser | Important | CVE-2020-9743 | AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier | 
Updates to dependencies
| Dependency | Vulnerability Impact | Affected Versions | 
| Handlebars.js | Arbitrary JavaScript execution in the browser | AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier | 
| Lodash.js (removed from AEM) | Prototype pollution | AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier | 
| Log4j | Deserialization of untrusted data | AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier | 
| Dom4j | XXE (Xml eXternal Entity) injection | AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier |