Headline
CVE-2022-44488: Adobe Security Bulletin
Adobe Experience Manager version 6.5.14 (and earlier) is affected by a URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability. A low-privilege authenticated attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction.
Security updates available for Adobe Experience Manager | APSB22-59
Adobe has released updates for Adobe Experience Manager (AEM). These updates resolve vulnerabilities rated Important and Moderate. Successful exploitation of these vulnerabilities could result in arbitrary code execution and security feature bypass.
Affected product versions
Product
Version
Platform
Adobe Experience Manager (AEM)
AEM Cloud Service (CS)
All
6.5.14.0 and earlier versions
All
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
Product
Version
Platform
Priority
Availability
Adobe Experience Manager (AEM)
AEM Cloud Service Release 2022.10.0
All
3
Release Notes
6.5.15.0
All
3
AEM 6.5 Service Pack Release Notes
Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.
Vulnerability Category
Vulnerability Impact
Severity
CVSS base score
CVSS vector
CVE Number
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-42345
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-42346
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-30679
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-42348
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-42349
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-42350
Improper Access Control (CWE-284)
Security feature bypass
Moderate
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2022-42351
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-42352
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-35693
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-42354
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CVE-2022-35694
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-42356
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-42357
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-35695
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CVE-2022-35696
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-42360
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-42362
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-42364
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-42365
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CVE-2022-42366
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-42367
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-44462
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-44463
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-44465
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-44466
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-44467
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-44468
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-44469
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-44470
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-44471
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-44473
Cross-site Scripting (XSS)
(CWE-79)
Arbitrary code execution
Important
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-44474
URL Redirection to Untrusted Site (‘Open Redirect’) (CWE-601)
Security feature bypass
Moderate
3.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CVE-2022-44488
**Dependency
**
**Vulnerability Impact
**
Affected Versions
xmlgraphics
Privilege escalation
AEM CS
AEM 6.5.9.0 and earlier
ionetty
Privilege escalation
AEM CS
AEM 6.5.9.0 and earlier
Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:
- Jim Green (green-jam) --CVE-2022-42345; CVE-2022-30679; CVE-2022-42348; CVE-2022-42349; CVE-2022-42350; CVE-2022-42351; CVE-2022-42352; CVE-2022-35693; CVE-2022-42354; CVE-2022-35694; CVE-2022-42356; CVE-2022-42357; CVE-2022-35695; CVE-2022-35696; CVE-2022-42360; CVE-2022-42362; CVE-2022-42364; CVE-2022-42365; CVE-2022-42366; CVE-2022-42367; CVE-2022-44462; CVE-2022-44463; CVE-2022-44465; CVE-2022-44466; CVE-2022-44467; CVE-2022-44468; CVE-2022-44469; CVE-2022-44470; CVE-2022-44471; CVE-2022-44473; CVE-2022-44474; CVE-2022-44488
September 21, 2022 - Added CVE details for CVE-2022-38438 and CVE-2022-38439
December 14th, 2021: Updated acknowledgment for CVE-2021-43762
December 16, 2021: Corrected priority level of bulletin to 2
December 29, 2021: Updated acknowledgement for CVE-2021-40722
September 30, 2022: Added CVE-2022-28851
For more information, visit https://helpx.adobe.com/security.html, or email [email protected].
Related news
Adobe InDesign version 18.0 (and earlier), 17.4 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Exploitation of this issue requires low-privilege access to AEM.
Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Exploitation of this issue requires low-privilege access to AEM.
Adobe InDesign versions 16.4.2 (and earlier) and 17.3 (and earlier) are affected by by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.