==================================================================== CERT-Renater Note d'Information No. 2020/VULN505 _____________________________________________________________________ DATE : 09/09/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Adobe Experience Manager (AEM) versions prior to 6.5.6.0, 6.4.8.2, AEM Forms add-on versions prior to Service Pack 6. ===================================================================== https://helpx.adobe.com/security/products/experience-manager/apsb20-56.html _____________________________________________________________________ Security updates available for Adobe Experience Manager | APSB20-56 Bulletin ID Date Published Priority APSB20-56 September 8, 2020 2 Summary Adobe has released updates for Adobe Experience Manager (AEM) and the AEM Forms add-on package. These updates resolve vulnerabilities rated Critical and Important.  Successful exploitation of these vulnerabilities could result in arbitrary JavaScript execution in the browser. Affected product versions Product Version Platform Adobe Experience Manager 6.5.5.0 and earlier versions All 6.4.8.1 and earlier versions All 6.3.3.8 and earlier versions All 6.2 SP1-CFP20 and earlier versions All AEM Forms add-on AEM Forms Service Pack 5 and earlier versions All Solution Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version: Product Version Platform Priority Availability Adobe Experience Manager (AEM) 6.5.6.0 All 2 AEM 6.5 Service Pack Release Notes   6.4.8.2 All 2 AEM 6.4 Cumulative Fix Pack Release Notes  AEM Forms add-on AEM Forms Service Pack 6 All 2 AEM Forms Releases Note: Adobe Experience Manager 6.5.6.0 is an important update that includes new features, key customer requested enhancements, and performance, stability, and security improvements released since the general availability of 6.5 release in April 2019. It can be installed on top of Adobe Experience Manager 6.5. Note: AEM Cumulative Fix Pack 6.4.8.2 is an important update that includes several internal and customer fixes since the general availability of AEM 6.4 Service Pack 8 (6.4.8.0) in March 2020. AEM Cumulative Fix Pack 6.4.8.2 is dependent on AEM 6.4 Service Pack 8. Therefore, you must install the AEM Cumulative Fix Pack 6.4.8.2 package after installing AEM 6.4 Service Pack 8. Note: Please contact Adobe customer care for assistance with AEM versions 6.3 and 6.2. Vulnerability details Vulnerability Category Vulnerability Impact Severity CVE Number Affected Versions Cross-site scripting (stored) Arbitrary JavaScript execution in the browser Critical CVE-2020-9732 AEM Forms SP5 and earlier Execution with Unnecessary Privileges Sensitive Information Disclosure Important CVE-2020-9733 AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier Cross-site scripting (stored) Arbitrary JavaScript execution in the browser Critical CVE-2020-9734 AEM Forms SP5 and earlier Cross-site scripting (stored) Arbitrary JavaScript execution in the browser Important CVE-2020-9735 AAEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier Cross-site scripting (stored) Arbitrary JavaScript execution in the browser Important CVE-2020-9736 AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier Cross-site scripting (stored) Arbitrary JavaScript execution in the browser Important CVE-2020-9737 AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier Cross-site scripting (stored) Arbitrary JavaScript execution in the browser Important CVE-2020-9738 AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier Cross-site scripting (stored) Arbitrary JavaScript execution in the browser Critical CVE-2020-9740 AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier Cross-site scripting (stored) Arbitrary JavaScript execution in the browser Critical CVE-2020-9741 AEM Forms SP5 and earlier Cross-site scripting (reflected) Arbitrary JavaScript execution in the browser Critical CVE-2020-9742 AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier HTML injection Arbitrary HTML injection in the browser Important CVE-2020-9743 AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier Updates to dependencies Dependency Vulnerability Impact Affected Versions Handlebars.js Arbitrary JavaScript execution in the browser AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier Lodash.js (removed from AEM) Prototype pollution AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier Log4j Deserialization of untrusted data AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier Dom4j XXE (Xml eXternal Entity) injection AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41          + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================