Adobe Security Bulletin

Last updated on 16 May 2021

Security updates available for Adobe Experience Manager | APSB20-56

Bulletin ID	Date Published	Priority
APSB20-56	September 8, 2020	2

Summary

Adobe has released updates for Adobe Experience Manager (AEM) and the AEM Forms add-on package. These updates resolve vulnerabilities rated Critical and Important.  Successful exploitation of these vulnerabilities could result in arbitrary JavaScript execution in the browser.

Affected product versions

Product	Version	Platform
Adobe Experience Manager	6.5.5.0 and earlier versions	All
	6.4.8.1 and earlier versions	All
	6.3.3.8 and earlier versions	All
	6.2 SP1-CFP20 and earlier versions	All
AEM Forms add-on	AEM Forms Service Pack 5 and earlier versions	All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product	Version	Platform	Priority	Availability
Adobe Experience Manager (AEM)	6.5.6.0	All	2	AEM 6.5 Service Pack Release Notes
6.4.8.2	All	2	AEM 6.4 Cumulative Fix Pack Release Notes
AEM Forms add-on	AEM Forms Service Pack 6	All	2	AEM Forms Releases

Product

Version

Platform

Priority

Availability

Adobe Experience Manager (AEM)

6.5.6.0

All

AEM 6.5 Service Pack Release Notes  

6.4.8.2

All

AEM 6.4 Cumulative Fix Pack Release Notes 

AEM Forms add-on

AEM Forms Service Pack 6

All

AEM Forms Releases

Note:

Adobe Experience Manager 6.5.6.0 is an important update that includes new features, key customer requested enhancements, and performance, stability, and security improvements released since the general availability of 6.5 release in April 2019. It can be installed on top of Adobe Experience Manager 6.5.

Note:

AEM Cumulative Fix Pack 6.4.8.2 is an important update that includes several internal and customer fixes since the general availability of AEM 6.4 Service Pack 8 (6.4.8.0) in March 2020. AEM Cumulative Fix Pack 6.4.8.2 is dependent on AEM 6.4 Service Pack 8. Therefore, you must install the AEM Cumulative Fix Pack 6.4.8.2 package after installing AEM 6.4 Service Pack 8.

Note:

Please contact Adobe customer care for assistance with AEM versions 6.3 and 6.2.

Vulnerability details

Vulnerability Category	Vulnerability Impact	Severity	CVE Number	Affected Versions
Cross-site scripting (stored)	Arbitrary JavaScript execution in the browser	Critical	CVE-2020-9732	AEM Forms SP5 and earlier
Execution with Unnecessary Privileges	Sensitive Information Disclosure	Important	CVE-2020-9733	AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier
Cross-site scripting (stored)	Arbitrary JavaScript execution in the browser	Critical	CVE-2020-9734	AEM Forms SP5 and earlier
Cross-site scripting (stored)	Arbitrary JavaScript execution in the browser	Important	CVE-2020-9735	AAEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier
Cross-site scripting (stored)	Arbitrary JavaScript execution in the browser	Important	CVE-2020-9736	AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier
Cross-site scripting (stored)	Arbitrary JavaScript execution in the browser	Important	CVE-2020-9737	AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier
Cross-site scripting (stored)	Arbitrary JavaScript execution in the browser	Important	CVE-2020-9738	AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier
Cross-site scripting (stored)	Arbitrary JavaScript execution in the browser	Critical	CVE-2020-9740	AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier
Cross-site scripting (stored)	Arbitrary JavaScript execution in the browser	Critical	CVE-2020-9741	AEM Forms SP5 and earlier
Cross-site scripting (reflected)	Arbitrary JavaScript execution in the browser	Critical	CVE-2020-9742	AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier
HTML injection	Arbitrary HTML injection in the browser	Important	CVE-2020-9743	AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier

Updates to dependencies

Dependency	Vulnerability Impact	Affected Versions
Handlebars.js	Arbitrary JavaScript execution in the browser	AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier
Lodash.js (removed from AEM)	Prototype pollution	AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier
Log4j	Deserialization of untrusted data	AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier
Dom4j	XXE (Xml eXternal Entity) injection	AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier

Adobe

Get help faster and easier

New user?

Adobe Security Bulletin

Summary

Affected product versions

Solution

Vulnerability details

Updates to dependencies

Get help faster and easier

Ask the Community

Contact Us