Adobe Security Bulletin

Last updated on May 16, 2021

Security updates available for Adobe Experience Manager | APSB20-01

Bulletin ID	Date Published	Priority
APSB20-01	January 14, 2020	2

Summary

Adobe has released security updates for Adobe Experience Manager (AEM). These updates resolve multiple vulnerabilities in AEM versions 6.5 and below rated Important and Moderate. Successful exploitation could result in sensitive information disclosure.

Affected product versions

Product	Version	Platform
Adobe Experience Manager	6.5 6.4 6.3 6.2 6.1 6.0	All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product	Version	Platform	Priority	Availability
Adobe Experience Manager	6.5	All	2	Releases and Updates
6.4	All	2	Releases and Updates
6.3	All	2	Releases and Updates

Product

Version

Platform

Priority

Availability

Adobe Experience Manager

6.5

All

Releases and Updates

6.4

All

Releases and Updates

6.3

All

Releases and Updates

Please contact Adobe customer care for assistance with earlier AEM versions.

Vulnerability details

Vulnerability Category	Vulnerability Impact	Severity	CVE Number	Affected Versions	Download Package
Cross-Site Script Inclusion	Sensitive Information disclosure	Important	CVE-2019-16466	AEM 6.1 AEM 6.2 AEM 6.3 AEM 6.4 AEM 6.5	Cumulative Fix Pack 6.3.3.7 Service Pack 6.4.7.0 Service Pack 6.5.3.0
Reflected Cross-Site Scripting	Sensitive Information disclosure	Important	CVE-2019-16467	AEM 6.1 AEM 6.2 AEM 6.3 AEM 6.4 AEM 6.5	Cumulative Fix Pack 6.3.3.7 Service Pack 6.4.7.0 Service Pack 6.5.3.0
User Interface Injection	Sensitive Information Disclosure	Moderate	CVE-2019-16468	AEM 6.3 AEM 6.4 AEM 6.5	Cumulative Fix Pack 6.3.3.7 Service Pack 6.4.7.0 Service Pack 6.5.3.0
Expression Language injection	Sensitive Information Disclosure	Important	CVE-2019-16469	AEM 6.5	Service Pack 6.5.3.0

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:     

Lorenzo Pirondini (Netcentric, a Cognizant Digital Business) (CVE-2019-16466, CVE-2019-16468)
Valerio Brussani (https://www.linkedin.com/in/valeriobrussani) (CVE-2019-16469)

Revisions

January 16, 2020: Modified the vulnerability category of CVE-2019-16466 from "Reflected Cross-Site Scripting" to "Cross-Site script inclusion".

March 19, 2020: Added AEM versions 6.1 and 6.2 to the vulnerability details table for CVE-2019-16466 and CVE-2019-16467.

Adobe

Get help faster and easier

New user?

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe Security Bulletin

Summary

Affected product versions

Solution

Vulnerability details

Acknowledgments

Revisions

Get help faster and easier

Ask the Community

Contact Us