CVE-2022-35664: Adobe Security Bulletin

Security updates available for Adobe Experience Manager | APSB22-40

Bulletin ID

Date Published

Priority

APSB22-40

September 13, 2022

3

Summary

Adobe has released updates for Adobe Experience Manager (AEM). These updates resolve vulnerabilities rated Important.  Successful exploitation of these vulnerabilities could result in arbitrary code execution and security feature bypass.

Affected product versions

Product

Version

Platform

Adobe Experience Manager (AEM)

AEM Cloud Service (CS)

All

6.5.13.0 and earlier versions

All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product

Version

Platform

Priority

Availability

Adobe Experience Manager (AEM)

AEM Cloud Service (CS)

All

3

Release Notes

6.5.14.0

All

3

AEM 6.5 Service Pack Release Notes

Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.

Vulnerability details

Vulnerability Category

Vulnerability Impact

Severity

CVSS base score

CVSS vector

CVE Number

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30677

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30678

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30680

Cross-site Scripting (Stored XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30681

Cross-site Scripting (Stored XSS) (CWE-79)

Arbitrary code execution

Important

6.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVE-2022-30682

Violation of Secure Design Principles (CWE-657)

Security feature bypass

Important

5.3

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE-2022-30683

Cross-site Scripting (Reflected XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30684

Cross-site Scripting (Reflected XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30685

Cross-site Scripting (Reflected XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30686

Cross-site Scripting (Reflected XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-35664

Cross-site Scripting (Reflected XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-34218

Updates to dependencies

**Dependency
**

**Vulnerability Impact
**

Affected Versions

xmlgraphics

Privilege escalation

AEM CS

AEM 6.5.9.0 and earlier

ionetty

Privilege escalation

AEM CS

AEM 6.5.9.0 and earlier

Acknowledgments

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:

• Jim Green (green-jam) --CVE-2022-30677, CVE-2022-30678, CVE-2022-30680, CVE-2022-30681, CVE-2022-30682, CVE-2022-30683, CVE-2022-30684, CVE-2022-30685, CVE-2022-30686, CVE-2022-35664, CVE-2022-34218

Revisions

December 14th, 2021: Updated acknowledgment for CVE-2021-43762

December 16, 2021: Corrected priority level of bulletin to 2

December 29, 2021: Updated acknowledgement for CVE-2021-40722

For more information, visit https://helpx.adobe.com/security.html, or email [email protected].