Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-35664: Adobe Security Bulletin

Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim’s browser. Exploitation of this issue requires low-privilege access to AEM.

CVE
#xss#vulnerability#java

Security updates available for Adobe Experience Manager | APSB22-40

Bulletin ID

Date Published

Priority

APSB22-40

September 13, 2022

3

Summary

Adobe has released updates for Adobe Experience Manager (AEM). These updates resolve vulnerabilities rated Important.  Successful exploitation of these vulnerabilities could result in arbitrary code execution and security feature bypass.

Affected product versions

Product

Version

Platform

Adobe Experience Manager (AEM)

AEM Cloud Service (CS)

All

6.5.13.0 and earlier versions

All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product

Version

Platform

Priority

Availability

Adobe Experience Manager (AEM)

AEM Cloud Service (CS)

All

3

Release Notes

6.5.14.0

All

3

AEM 6.5 Service Pack Release Notes

Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.

Vulnerability details

Vulnerability Category

Vulnerability Impact

Severity

CVSS base score

CVSS vector

CVE Number

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30677

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30678

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30680

Cross-site Scripting (Stored XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30681

Cross-site Scripting (Stored XSS) (CWE-79)

Arbitrary code execution

Important

6.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVE-2022-30682

Violation of Secure Design Principles (CWE-657)

Security feature bypass

Important

5.3

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE-2022-30683

Cross-site Scripting (Reflected XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30684

Cross-site Scripting (Reflected XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30685

Cross-site Scripting (Reflected XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30686

Cross-site Scripting (Reflected XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-35664

Cross-site Scripting (Reflected XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-34218

Updates to dependencies

**Dependency
**

**Vulnerability Impact
**

Affected Versions

xmlgraphics

Privilege escalation

AEM CS

AEM 6.5.9.0 and earlier

ionetty

Privilege escalation

AEM CS

AEM 6.5.9.0 and earlier

Acknowledgments

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:

  • Jim Green (green-jam) --CVE-2022-30677, CVE-2022-30678, CVE-2022-30680, CVE-2022-30681, CVE-2022-30682, CVE-2022-30683, CVE-2022-30684, CVE-2022-30685, CVE-2022-30686, CVE-2022-35664, CVE-2022-34218

Revisions

December 14th, 2021: Updated acknowledgment for CVE-2021-43762

December 16, 2021: Corrected priority level of bulletin to 2

December 29, 2021: Updated acknowledgement for CVE-2021-40722

For more information, visit https://helpx.adobe.com/security.html, or email [email protected].

Related news

CVE-2022-44488: Adobe Security Bulletin

Adobe Experience Manager version 6.5.14 (and earlier) is affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. A low-privilege authenticated attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907