Adobe Security Bulletin

Security updates available for Adobe Experience Manager | APSB22-40

Bulletin ID

Date Published

Priority

APSB22-40

September 13, 2022 

3

Summary

Adobe has released updates for Adobe Experience Manager (AEM). These updates resolve vulnerabilities rated Important.  Successful exploitation of these vulnerabilities could result in arbitrary code execution and security feature bypass.

Affected product versions

Product Version Platform
Adobe Experience Manager (AEM)
AEM Cloud Service (CS)
All
6.5.13.0 and earlier versions 
All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product

Version

Platform

Priority

Availability

Adobe Experience Manager (AEM) 
AEM Cloud Service (CS)
All 3 Release Notes
6.5.14.0 
All

3

AEM 6.5 Service Pack Release Notes 
Note:

Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.  

Note:

Please contact Adobe customer care for assistance with AEM versions 6.4, 6.3 and 6.2.

Vulnerability details

Vulnerability Category

Vulnerability Impact

Severity

CVSS base score 

CVE Number 

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30677

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30678

Cross-site Scripting (XSS)

(CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30680

Cross-site Scripting (Stored XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30681

Cross-site Scripting (Stored XSS) (CWE-79)

Arbitrary code execution

Important

6.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVE-2022-30682

Violation of Secure Design Principles (CWE-657)

Security feature bypass

Important

5.3

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE-2022-30683

Cross-site Scripting (Reflected XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30684

Cross-site Scripting (Reflected XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30685

Cross-site Scripting (Reflected XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-30686

Cross-site Scripting (Reflected XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-35664

Cross-site Scripting (Reflected XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-34218

Cross-site Scripting (Reflected XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-38438

Cross-site Scripting (Reflected XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-38439

Cross-site Scripting (Reflected XSS) (CWE-79)

Arbitrary code execution

Important

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-28851

Updates to dependencies

Dependency
Vulnerability Impact
Affected Versions
xmlgraphics
Privilege escalation

AEM CS  

AEM 6.5.9.0 and earlier 

ionetty
Privilege escalation

AEM CS  

AEM 6.5.9.0 and earlier 

Acknowledgments

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers: 

  • Jim Green (green-jam) --CVE-2022-30677, CVE-2022-30678, CVE-2022-30680, CVE-2022-30681, CVE-2022-30682, CVE-2022-30683, CVE-2022-30684, CVE-2022-30685, CVE-2022-30686, CVE-2022-35664,  CVE-2022-34218, CVE-2022-38438, CVE-2022-38439, CVE-2022-28851

Revisions

September 21, 2022 - Added CVE details for CVE-2022-38438 and CVE-2022-38439

December 14th, 2021: Updated acknowledgment for CVE-2021-43762

December 16, 2021: Corrected priority level of bulletin to 2

December 29, 2021: Updated acknowledgement for CVE-2021-40722

September 30, 2022: Added CVE-2022-28851


For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Get help faster and easier

New user?