Bulletin ID
Last updated on
Jan 24, 2023
Security updates available for Adobe Experience Manager | APSB20-31
|
|
Date Published |
Priority |
|---|---|---|
|
APSB20-31 |
June 09, 2020 |
2 |
Summary
Adobe has released updates for Adobe Experience Manager (AEM). These updates resolve vulnerabilities in AEM versions 6.5 and below rated Important. Successful exploitation could result in sensitive information disclosure.
Affected product versions
|
Product |
Version |
Platform |
|---|---|---|
|
Adobe Experience Manager |
6.5 and earlier versions |
All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
Product |
Version |
Platform |
Priority |
Availability |
|---|---|---|---|---|
Adobe Experience Manager |
6.5 |
All |
2 |
Releases and Updates |
6.4 |
All |
2 |
Note:
Please contact Adobe customer care for assistance with earlier AEM versions.
Vulnerability details
|
Vulnerability Category |
Vulnerability Impact |
Severity |
CVE Number |
Affected Versions |
Release Notes |
|---|---|---|---|---|---|
|
Server-side request forgery (SSRF) |
Sensitive Information Disclosure |
Important |
CVE-2020-9643 |
AEM 6.1 AEM 6.2 AEM 6.3 AEM 6.4 |
|
|
Cross-site scripting (DOM-based) |
Arbitrary JavaScript execution in the browser |
Important |
CVE-2020-9647 |
AEM 6.1 AEM 6.2 AEM 6.3 AEM 6.4 AEM 6.5 |
|
|
Cross-site scripting |
Arbitrary JavaScript execution in the browser |
Important |
CVE-2020-9648 |
AEM 6.1 AEM 6.2 AEM 6.3 AEM 6.4 AEM 6.5 |
|
|
Cross-site scripting (stored) |
Arbitrary JavaScript execution in the browser |
Important |
CVE-2020-9644 |
AEM 6.1 AEM 6.2 AEM 6.3 AEM 6.4 AEM 6.5 |
|
|
Blind server-side request forgery (SSRF) |
Sensitive Information Disclosure |
Important |
CVE-2020-9645 |
AEM 6.1 AEM 6.2 AEM 6.3 AEM 6.4 AEM 6.5 |
|
|
Cross-site scripting (reflected) |
Arbitrary JavaScript execution in the browser |
Important |
CVE-2020-9651 |
AEM 6.1 AEM 6.2 AEM 6.3 AEM 6.4 AEM 6.5 |
Note:
AEM version 6.1 extended support ended on May 31, 2020.
Acknowledgments
Adobe would like to thank Thomas Hartmann of Netcentric (CVE-2020-9644) and Dmitry Muntyanov (CVE-2020-9645) for working with Adobe to help protect our customers.