Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-44488: Adobe Security Bulletin

Adobe Experience Manager version 6.5.14 (and earlier) is affected by a URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability. A low-privilege authenticated attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction.

CVE
#xss#vulnerability#web#auth

Security updates available for Adobe Experience Manager | APSB22-59

Adobe has released updates for Adobe Experience Manager (AEM). These updates resolve vulnerabilities rated Important and Moderate.  Successful exploitation of these vulnerabilities could result in arbitrary code execution and security feature bypass.

Affected product versions

Product

Version

Platform

Adobe Experience Manager (AEM)

AEM Cloud Service (CS)

All

6.5.14.0 and earlier versions

All

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product

Version

Platform

Priority

Availability

Adobe Experience Manager (AEM)

AEM Cloud Service Release 2022.10.0

All

3

Release Notes

6.5.15.0

All

3

AEM 6.5 Service Pack Release Notes

Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.

Vulnerability Category

Vulnerability Impact

Severity

CVSS base score

CVSS vector

CVE Number

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-42345

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-42346

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30679

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-42348

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-42349

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-42350

Improper Access Control (CWE-284)

Security feature bypass

Moderate

4.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE-2022-42351

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-42352

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-35693

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-42354

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CVE-2022-35694

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-42356

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-42357

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-35695

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CVE-2022-35696

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-42360

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-42362

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-42364

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-42365

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CVE-2022-42366

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-42367

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-44462

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-44463

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-44465

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-44466

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-44467

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-44468

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-44469

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-44470

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-44471

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-44473

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-44474

URL Redirection to Untrusted Site (‘Open Redirect’) (CWE-601)

Security feature bypass

Moderate

3.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CVE-2022-44488

**Dependency
**

**Vulnerability Impact
**

Affected Versions

xmlgraphics

Privilege escalation

AEM CS

AEM 6.5.9.0 and earlier

ionetty

Privilege escalation

AEM CS

AEM 6.5.9.0 and earlier

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:

  • Jim Green (green-jam) --CVE-2022-42345; CVE-2022-30679; CVE-2022-42348; CVE-2022-42349; CVE-2022-42350; CVE-2022-42351; CVE-2022-42352; CVE-2022-35693; CVE-2022-42354; CVE-2022-35694; CVE-2022-42356; CVE-2022-42357; CVE-2022-35695; CVE-2022-35696; CVE-2022-42360; CVE-2022-42362; CVE-2022-42364; CVE-2022-42365; CVE-2022-42366; CVE-2022-42367; CVE-2022-44462; CVE-2022-44463; CVE-2022-44465; CVE-2022-44466; CVE-2022-44467; CVE-2022-44468; CVE-2022-44469; CVE-2022-44470; CVE-2022-44471; CVE-2022-44473; CVE-2022-44474; CVE-2022-44488

September 21, 2022 - Added CVE details for CVE-2022-38438 and CVE-2022-38439

December 14th, 2021: Updated acknowledgment for CVE-2021-43762

December 16, 2021: Corrected priority level of bulletin to 2

December 29, 2021: Updated acknowledgement for CVE-2021-40722

September 30, 2022: Added CVE-2022-28851

For more information, visit https://helpx.adobe.com/security.html, or email [email protected].

Related news

CVE-2023-21592: Adobe Security Bulletin

Adobe InDesign version 18.0 (and earlier), 17.4 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2022-35664: Adobe Security Bulletin

Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Exploitation of this issue requires low-privilege access to AEM.

CVE-2022-35664: Adobe Security Bulletin

Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Exploitation of this issue requires low-privilege access to AEM.

CVE-2022-28852: Adobe Security Bulletin

Adobe InDesign versions 16.4.2 (and earlier) and 17.3 (and earlier) are affected by by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907