Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-24445: Adobe Security Bulletin

AEM’s Cloud Service offering, as well as version 6.5.6.0 (and below), are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

CVE
#xss#vulnerability#google#apache#js#java#ssrf#oauth#auth

Security updates available for Adobe Experience Manager | APSB20-72

Bulletin ID

Date Published

Priority

APSB20-72

December 8, 2020

2

Summary

Adobe has released updates for Adobe Experience Manager (AEM) and the AEM Forms add-on package. These updates resolve vulnerabilities rated Critical and Important.

Affected product versions

Product

Version

Platform

Adobe Experience Manager (AEM)

AEM Cloud Service (CS)

All

6.5.6.0 and earlier versions

All

6.4.8.2 and earlier versions

All

6.3.3.8 and earlier versions

All

6.2 SP1-CFP20 and earlier versions

All

AEM Forms add-on

AEM Forms Service Pack 6 add-on package for AEM 6.5.6.0

All

AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2)

All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product

Version

Platform

Priority

Availability

Adobe Experience Manager (AEM)

AEM Cloud Service (CS)

All

2

Release Notes

6.5.7.0

All

2

AEM 6.5 Service Pack Release Notes

6.4.8.3

All

2

AEM 6.4 Cumulative Fix Pack Release Notes

AEM Forms add-on

AEM Forms Service Pack 7

All

2

AEM Forms Releases

AEM 6.4 Service Pack 8 CFP 3

All

2

AEM Forms Releases

Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.

Adobe Experience Manager 6.5.7.0 is an important update that includes new features, key customer requested enhancements, and performance, stability, and security improvements released since the general availability of 6.5 release in April 2019. It can be installed on top of Adobe Experience Manager 6.5.

AEM Cumulative Fix Pack 6.4.8.3 is an important update that includes several internal and customer fixes since the general availability of AEM 6.4 Service Pack 8 (6.4.8.0) in March 2020. AEM Cumulative Fix Pack 6.4.8.3 is dependent on AEM 6.4 Service Pack 8. Therefore, you must install the AEM Cumulative Fix Pack 6.4.8.3 package after installing AEM 6.4 Service Pack 8.

Vulnerability details

Vulnerability Category

Vulnerability Impact

Severity

CVE Number

Affected Versions

Blind server-side request forgery

Sensitive Information Disclosure

Important

CVE-2020-24444

AEM Forms SP6 add-on for AEM 6.5.6.0 and earlier

AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2) and earlier

Cross-site scripting (stored)

Arbitrary JavaScript execution in the browser

Critical

CVE-2020-24445

AEM CS

AEM 6.5.6.0 and earlier

Updates to dependencies

**Dependency
**

**Vulnerability Impact
**

Affected Versions

Apache Abdera

Resource consumption

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Apache Batik

Server-side request forgery

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Apache Commons Compress

Resource consumption

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Apache OpenNLP

XML external entity (XXE) injection

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Apache Sling Scheduler Service

XML external entity (XXE) injection

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Apache Xerces2

Resource consumption

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

CKEditor

Arbitrary JavaScript execution in the browser

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Eclipse Jetty

Resource consumption

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Google-oauth-client

Improper authorization

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Handlebars.js

Prototype pollution

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Jackson Mapper

XML external entity (XXE) injection

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

jQuery

Arbitrary JavaScript execution in the browser

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Spring Framework

Directory traversal

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Zip4j

Directory traversal

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Acknowledgments

Adobe would like to thank Frank Karlstrøm and Kenny Jansson of Storebrand Group, Norway (CVE-2020-24444), and Pankaj Upadhyay (CVE-2020-24445) for working with Adobe to help protect our customers.

Revisions

January 13, 2021: Removed AEM 6.4.8.2 and 6.3.3.8 from the list of versions impacted by CVE-2020-24445.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907