==================================================================== CERT-Renater Note d'Information No. 2018/VULN142 _____________________________________________________________________ DATE : 11/04/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Adobe Experience Manager versions 6.3, 6.2, 6.1, 6.0. ===================================================================== https://helpx.adobe.com/security/products/experience-manager/apsb18-10.html _____________________________________________________________________ Adobe Security Bulletin Last Published: April 11, 2018 Security updates available for Adobe Experience Manager | APSB18-10 +-------------------------+--------------------------------+------------------+ |Bulletin ID |Date Published |Priority | +-------------------------+--------------------------------+------------------+ |APSB18-10 |April 10, 2018 |3 | +-------------------------+--------------------------------+------------------+ Summary Adobe has released security updates for Adobe Experience Manager. These updates resolve a stored cross-site scripting vulnerability (CVE-2018-4929) rated moderate, and two cross-site scripting vulnerabilities (CVE-2018-4930 and CVE-2018-4931) rated important. Affected product versions +------------------------+-----------------+-------------------+ | Product | Version | Platform | +------------------------+-----------------+-------------------+ | |6.3 | | | | | | | |6.2 | | |Adobe Experience Manager| |All | | |6.1 | | | | | | | |6.0 | | +------------------------+-----------------+-------------------+ Solution Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version: +--------------------------+-------+---------+---------+----------------------+ |Product |Version|Platform |Priority |Availability | +--------------------------+-------+---------+---------+----------------------+ | |6.3 |All |3 |Release note | | +-------+---------+---------+----------------------+ | |6.2 |All |3 |Release note | |Adobe Experience Manager +-------+---------+---------+----------------------+ | |6.1 |All |3 |Release note | | +-------+---------+---------+----------------------+ | |6.0 |All |3 |Release note | +--------------------------+-------+---------+---------+----------------------+ Please contact Adobe customer care for assistance with earlier AEM versions. Vulnerability details +-------------+--------------+----------+-------------+--------+-----------------+ |Vulnerability|Vulnerability |Severity |CVE Numbers |Affected|Download Package| |Category |Impact | | |Version | | +-------------+--------------+----------+-------------+--------+-----------------+ | | | | | |HOTFIX 19293 for | | | | | | |AEM 6.0.0 | | | | | | | | | | | | | |Cumulative Fix| | | | | | |Pack for 6.1 SP2| | | | | | |- | |Stored |Sensitive | | |AEM 6.2 |AEM-6.1- SP2-CFP15| |cross-site |Information |Moderate |CVE-2018-4929|and | | |scripting |disclosure | | |earlier |Cumulative Fix | | | | | | |Pack for 6.2 SP1| | | | | | |- | | | | | | |AEM-6.2- SP1-CFP12| | | | | | | | | | | | | | | | | | | | | | | | | | | | | +-------------+--------------+----------+-------------+--------+-----------------+ | | | | | |Cumulative Fix | | | | | | |Pack for 6.1 SP2| | | | | | |- | | | | | | |AEM-6.1- SP2-CFP15| | | | | | | | |Cross-site |Sensitive | | |AEM 6.3 | Cumulative Fix | |scripting |Information |Important |CVE-2018-4930|and |Pack for 6.2 SP1| | |Disclosure | | |earlier |- | | | | | | |AEM-6.2- SP1-CFP12| | | | | | | | | | | | | |Service Pack | | | | | | |6.3.2.0 for AEM| | | | | | |6.3 | +-------------+--------------+----------+-------------+--------+-----------------+ | | |Important | | |HOTFIX 19385 for | | | | | | |AEM 6.0.0 | | | | | | | | | | | | | | | | | | | | | | |Stored |Sensitive | | |AEM 6.1 | | |cross-site |Information | |CVE-2018-4931|and | | |scripting |Disclosure | | |earlier |HOTFIX 9381 for | | | | | | |AEM 6.1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +-------------+--------------+----------+-------------+--------+-----------------+ Note: The packages listed in the table above are the minimum fix packs to address the listed vulnerability. For the latest versions, please see the release notes links referenced above. Acknowledgments Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers: o Frans Rosen of Detectify Labs (CVE-2018-4930) o Nagamarimuthu of Cognizant Technology Solutions - Enterprise Risk & Security Solutions (CVE-2018-4931) ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================