Headline
CVE-2020-24445: Adobe Security Bulletin
AEM’s Cloud Service offering, as well as version 6.5.6.0 (and below), are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Security updates available for Adobe Experience Manager | APSB20-72
Bulletin ID
Date Published
Priority
APSB20-72
December 8, 2020
2
Summary
Adobe has released updates for Adobe Experience Manager (AEM) and the AEM Forms add-on package. These updates resolve vulnerabilities rated Critical and Important.
Affected product versions
Product
Version
Platform
Adobe Experience Manager (AEM)
AEM Cloud Service (CS)
All
6.5.6.0 and earlier versions
All
6.4.8.2 and earlier versions
All
6.3.3.8 and earlier versions
All
6.2 SP1-CFP20 and earlier versions
All
AEM Forms add-on
AEM Forms Service Pack 6 add-on package for AEM 6.5.6.0
All
AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2)
All
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
Product
Version
Platform
Priority
Availability
Adobe Experience Manager (AEM)
AEM Cloud Service (CS)
All
2
Release Notes
6.5.7.0
All
2
AEM 6.5 Service Pack Release Notes
6.4.8.3
All
2
AEM 6.4 Cumulative Fix Pack Release Notes
AEM Forms add-on
AEM Forms Service Pack 7
All
2
AEM Forms Releases
AEM 6.4 Service Pack 8 CFP 3
All
2
AEM Forms Releases
Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.
Adobe Experience Manager 6.5.7.0 is an important update that includes new features, key customer requested enhancements, and performance, stability, and security improvements released since the general availability of 6.5 release in April 2019. It can be installed on top of Adobe Experience Manager 6.5.
AEM Cumulative Fix Pack 6.4.8.3 is an important update that includes several internal and customer fixes since the general availability of AEM 6.4 Service Pack 8 (6.4.8.0) in March 2020. AEM Cumulative Fix Pack 6.4.8.3 is dependent on AEM 6.4 Service Pack 8. Therefore, you must install the AEM Cumulative Fix Pack 6.4.8.3 package after installing AEM 6.4 Service Pack 8.
Vulnerability details
Vulnerability Category
Vulnerability Impact
Severity
CVE Number
Affected Versions
Blind server-side request forgery
Sensitive Information Disclosure
Important
CVE-2020-24444
AEM Forms SP6 add-on for AEM 6.5.6.0 and earlier
AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2) and earlier
Cross-site scripting (stored)
Arbitrary JavaScript execution in the browser
Critical
CVE-2020-24445
AEM CS
AEM 6.5.6.0 and earlier
Updates to dependencies
**Dependency
**
**Vulnerability Impact
**
Affected Versions
Apache Abdera
Resource consumption
AEM CS
AEM 6.5.6.0 and earlier
AEM 6.4.8.2 and earlier
AEM 6.3.3.8 and earlier
Apache Batik
Server-side request forgery
AEM CS
AEM 6.5.6.0 and earlier
AEM 6.4.8.2 and earlier
AEM 6.3.3.8 and earlier
Apache Commons Compress
Resource consumption
AEM CS
AEM 6.5.6.0 and earlier
AEM 6.4.8.2 and earlier
AEM 6.3.3.8 and earlier
Apache OpenNLP
XML external entity (XXE) injection
AEM CS
AEM 6.5.6.0 and earlier
AEM 6.4.8.2 and earlier
AEM 6.3.3.8 and earlier
Apache Sling Scheduler Service
XML external entity (XXE) injection
AEM CS
AEM 6.5.6.0 and earlier
AEM 6.4.8.2 and earlier
AEM 6.3.3.8 and earlier
Apache Xerces2
Resource consumption
AEM CS
AEM 6.5.6.0 and earlier
AEM 6.4.8.2 and earlier
AEM 6.3.3.8 and earlier
CKEditor
Arbitrary JavaScript execution in the browser
AEM CS
AEM 6.5.6.0 and earlier
AEM 6.4.8.2 and earlier
AEM 6.3.3.8 and earlier
Eclipse Jetty
Resource consumption
AEM CS
AEM 6.5.6.0 and earlier
AEM 6.4.8.2 and earlier
AEM 6.3.3.8 and earlier
Google-oauth-client
Improper authorization
AEM CS
AEM 6.5.6.0 and earlier
AEM 6.4.8.2 and earlier
AEM 6.3.3.8 and earlier
Handlebars.js
Prototype pollution
AEM CS
AEM 6.5.6.0 and earlier
AEM 6.4.8.2 and earlier
AEM 6.3.3.8 and earlier
Jackson Mapper
XML external entity (XXE) injection
AEM CS
AEM 6.5.6.0 and earlier
AEM 6.4.8.2 and earlier
AEM 6.3.3.8 and earlier
jQuery
Arbitrary JavaScript execution in the browser
AEM CS
AEM 6.5.6.0 and earlier
AEM 6.4.8.2 and earlier
AEM 6.3.3.8 and earlier
Spring Framework
Directory traversal
AEM CS
AEM 6.5.6.0 and earlier
AEM 6.4.8.2 and earlier
AEM 6.3.3.8 and earlier
Zip4j
Directory traversal
AEM CS
AEM 6.5.6.0 and earlier
AEM 6.4.8.2 and earlier
AEM 6.3.3.8 and earlier
Acknowledgments
Adobe would like to thank Frank Karlstrøm and Kenny Jansson of Storebrand Group, Norway (CVE-2020-24444), and Pankaj Upadhyay (CVE-2020-24445) for working with Adobe to help protect our customers.
Revisions
January 13, 2021: Removed AEM 6.4.8.2 and 6.3.3.8 from the list of versions impacted by CVE-2020-24445.