Adobe Security Bulletin

Last updated on Jun 15, 2021

Security updates available for Adobe Experience Manager | APSB21-39

Bulletin ID	Date Published	Priority
APSB21-39	June 08, 2021	2

Summary

Adobe has released updates for Adobe Experience Manager (AEM). These updates resolve vulnerabilities rated Important and moderate. Successful exploitation of these vulnerabilities could result in arbitrary JavaScript execution in the browser.

Affected product versions

Product	Version	Platform
Adobe Experience Manager (AEM)	AEM Cloud Service (CS)	All
6.5.8.0 and earlier versions	All

Product

Version

Platform

Adobe Experience Manager (AEM)

AEM Cloud Service (CS)

All

6.5.8.0 and earlier versions

All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product	Version	Platform	Priority	Availability
Adobe Experience Manager (AEM)	AEM Cloud Service (CS)	All	2	Release Notes
6.5.9.0	All	2	AEM 6.5 Service Pack Release Notes

Product

Version

Platform

Priority

Availability

Adobe Experience Manager (AEM)

AEM Cloud Service (CS)

All

Release Notes

6.5.9.0

All

AEM 6.5 Service Pack Release Notes

Note:

Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.

Note:

Please contact Adobe customer care for assistance with AEM versions 6.3 and 6.2.

Vulnerability details

Vulnerability Category	Vulnerability Impact	Severity	CVSS base score	CVSS vector	CVE Number
Cross-site Scripting (XSS) (CWE-79)	Arbitrary code execution	Important	6.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L	CVE-2021-28625
Improper Authorization (CWE-285)	Application denial-of-service	Moderate	3.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L	CVE-2021-28626
Server-Side Request Forgery (SSRF) (CWE-918)	Security feature bypass	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L	CVE-2021-28627
Cross-site Scripting (XSS) (CWE-79)	Arbitrary code execution	Important	6.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L	CVE-2021-28628

Updates to dependencies

Dependency	Vulnerability Impact	Affected Versions
Apache Xerces2	Application Denial-of-Service	AEM CS AEM 6.5.8.0 and earlier
Apache Sling	Improper Access Control	AEM CS AEM 6.5.8.0 and earlier
Handlebars.js	Improper Access Control	AEM CS AEM 6.5.8.0 and earlier
Uber Jar	Remote Code Execution	AEM CS AEM 6.5.8.0 and earlier
jQuery	Improper Access Control	AEM CS AEM 6.5.8.0 and earlier
Eclipse Jetty	Uncontrolled Resource Consumption	AEM CS AEM 6.5.8.0 and earlier

Acknowledgments

Adobe would like to thank SignorRossi (CVE-2021-28627) for reporting this issue and for working with Adobe to help protect our customers.

Revisions

June 15, 2021: Updated CVSS vector for CVE-2021-28626.

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Adobe

Get help faster and easier

New user?