Adobe Security Bulletin

Security updates available for Adobe Experience Manager Forms

Release date: December 13, 2016

Vulnerability identifier: APSB16-40

Priority: 3

CVE number: CVE-2016-6933, CVE-2016-6934

Platform: Windows, Linux, Solaris and AIX

Summary

Adobe has released security updates for Adobe Experience Manager (AEM) Forms on Windows, Linux, Solaris and AIX. These updates resolve two important input validation issues that could be used in cross-site scripting attacks (CVE-2016-6933 and CVE-2016-6934). Adobe recommends users apply the available updates using the instructions provided in the "Solution" section below. 

Note: In 2015, AEM Forms became the successor to Adobe LiveCycle.  

Affected versions

Product Affected version Platform
Adobe Experience Manager Forms

6.2
6.1
6.0

Windows, Linux, Solaris and AIX
LiveCycle

11.0.1
10.0.4

Windows, Linux, Solaris and AIX

Solution

Adobe categorizes these updates with the following priority rating, and recommends customers with on premise deployments install the available updates referenced below with the help of Adobe Marketing Cloud Customer Care team.

Product Fixed version Platform Priority rating
Adobe Experience Manager Forms 6.2 AEMForms-6.2.0-0002 Windows, Linux, Solaris and AIX
3
Adobe Experience Manager Forms 6.1 6.1.0-COR-1064-012
6.1.0-PRM-1065-020
Windows, Linux, Solaris and AIX 3
Adobe Experience Manager Forms 6.0 6.0.0-COR-1042-015
6.0.0-PRM-1043-020
Windows, Linux, Solaris and AIX 3
LiveCycle 11.0.1 11.0.1-COR-1155-044
11.0.1-PRM-1161-017
Windows, Linux, Solaris and AIX
3
LiveCycle 10.0.4 10.0.4-COR-1064-025
10.0.4-PRM-1065-007
Windows, Linux, Solaris and AIX
3

Vulnerability Details

Description CVE Fixed version
Updates resolve an input validation issue in the AACComponent that could be used in cross-site scripting attacks.
CVE-2016-6933  AEMForms-6.2.0-0002
6.1.0-COR-1064-012
6.0.0-COR-1042-015
11.0.1-COR-1155-044
10.0.4-COR-1064-025

Updates resolve an input validation issue in the PMAdmin module that could be used in cross-site scripting attacks.
CVE-2016-6934 AEMForms-6.2.0-0002
6.1.0-PRM-1065-020
6.0.0-PRM-1043-020
11.0.1-PRM-1161-017
10.0.4-PRM-1065-007

Acknowledgments

Adobe would like to thank Adam Willard of Blue Canopy for reporting these issues (CVE-2016-6933 and CVE-2016-6934) and for working with Adobe to help protect our customers.