Adobe Security Bulletin

Security updates available for Adobe Experience Manager | APSB20-01

Bulletin ID	Date Published	Priority
APSB20-01	January 14, 2020	2

Adobe has released security updates for Adobe Experience Manager (AEM). These updates resolve multiple vulnerabilities in AEM versions 6.5 and below rated Important and Moderate. Successful exploitation could result in sensitive information disclosure.

Product	Version	Platform
Adobe Experience Manager	6.5 6.4 6.3 6.2 6.1 6.0	All

Product

Version

Platform

Adobe Experience Manager

6.5

6.4

6.3

6.2

6.1

6.0

All

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product	Version	Platform	Priority	Availability
Adobe Experience Manager	6.5	All	2	Releases and Updates
	6.4	All	2	Releases and Updates
	6.3	All	2	Releases and Updates

Please contact Adobe customer care for assistance with earlier AEM versions.

Vulnerability Category	Vulnerability Impact	Severity	CVE Number	Affected Versions	Download Package
Cross-Site Script Inclusion	Sensitive Information disclosure	Important	CVE-2019-16466	AEM 6.1 AEM 6.2 AEM 6.3 AEM 6.4 AEM 6.5	Cumulative Fix Pack 6.3.3.7 Service Pack 6.4.7.0 Service Pack 6.5.3.0
Reflected Cross-Site Scripting	Sensitive Information disclosure	Important	CVE-2019-16467	AEM 6.1 AEM 6.2 AEM 6.3 AEM 6.4 AEM 6.5	Cumulative Fix Pack 6.3.3.7 Service Pack 6.4.7.0 Service Pack 6.5.3.0
User Interface Injection	Sensitive Information Disclosure	Moderate	CVE-2019-16468	AEM 6.3 AEM 6.4 AEM 6.5	Cumulative Fix Pack 6.3.3.7 Service Pack 6.4.7.0 Service Pack 6.5.3.0
Expression Language injection	Sensitive Information Disclosure	Important	CVE-2019-16469	AEM 6.5	Service Pack 6.5.3.0

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:     

Lorenzo Pirondini (Netcentric, a Cognizant Digital Business) (CVE-2019-16466, CVE-2019-16468)
Valerio Brussani (https://www.linkedin.com/in/valeriobrussani) (CVE-2019-16469)

January 16, 2020: Modified the vulnerability category of CVE-2019-16466 from "Reflected Cross-Site Scripting" to "Cross-Site script inclusion".

March 19, 2020: Added AEM versions 6.1 and 6.2 to the vulnerability details table for CVE-2019-16466 and CVE-2019-16467.

Adobe Security Bulletin

Summary

Affected product versions

Solution

Vulnerability details

Acknowledgments

Revisions

Ask the Community

Contact Us