Bulletin ID
Last updated on
Aug 20, 2024
Security updates available for Adobe Experience Manager | APSB24-28
|
|
Date Published |
Priority |
|---|---|---|
|
APSB24-28 |
June 11, 2024 |
3 |
Summary
Affected product versions
| Product | Version | Platform |
|---|---|---|
| Adobe Experience Manager (AEM) |
AEM Cloud Service (CS) |
All |
| 6.5.20 and earlier versions |
All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
Product |
Version |
Platform |
Priority |
Availability |
|---|---|---|---|---|
| Adobe Experience Manager (AEM) |
AEM Cloud Service Release 2024.5 |
All | 3 | Release Notes |
| 6.5.21 | All |
3 |
AEM 6.5 Service Pack Release Notes |
Note:
Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.
Note:
Experience Manager Security Considerations:
AEM as a Cloud Service Security Considerations
Anonymous Permission Hardening Package
Note:
Please contact Adobe customer care for assistance with AEM versions 6.4, 6.3 and 6.2.
Vulnerability Details
| Vulnerability Category |
Vulnerability Impact |
Severity |
CVSS base score |
CVSS vector |
CVE Number |
| Improper Access Control (CWE-284) |
Security feature bypass |
Critical | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2024-26029 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE-2024-26036 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE-2024-26037 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE-2024-26039 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | 4.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N |
CVE-2024-26049 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE-2024-26053 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE-2024-26057 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26058 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26066 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26068 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26070 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26071 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26072 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26074 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26075 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26077 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26078 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26081 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26082 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26083 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26085 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26088 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26089 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26090 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26091 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26092 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26093 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26095 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26110 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26111 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26113 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26114 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26115 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26116 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26117 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26121 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26123 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-20769 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-20784 |
| Improper Input Validation (CWE-20) |
Security feature bypass |
Moderate | 3.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N |
CVE-2024-26126 |
| Improper Input Validation (CWE-20) |
Security feature bypass |
Moderate | 3.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N | CVE-2024-26127 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26054 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26055 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26060 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-26086 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-34119 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-34120 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36141 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36142 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36143 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36144 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36146 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36147 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36148 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36149 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36150 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36151 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36152 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36153 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36154 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36155 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36156 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36157 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36158 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36159 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36160 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36161 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36162 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36163 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36164 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36165 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36166 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36167 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36168 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36169 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36170 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36171 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36172 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36173 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36174 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36175 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36176 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36177 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36178 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36179 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36180 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36181 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36182 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36183 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36184 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36185 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36186 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36187 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36188 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36189 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36190 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36191 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36192 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36193 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36194 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36195 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36196 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36197 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36198 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36199 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36200 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36201 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36202 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36203 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36204 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36205 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36206 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36207 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36208 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36209 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36210 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36211 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36212 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36213 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36214 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36215 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36216 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36217 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36218 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36219 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36220 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36221 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36222 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36223 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36224 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36225 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36227 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36228 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36229 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36230 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36231 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36232 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36233 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36234 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36235 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36236 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-34141 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-34142 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36238 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-36239 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-34128 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-41841 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-41842 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-41843 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-41844 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-41845 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-41846 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-41847 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-41848 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-41875 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-41876 |
| Improper Input Validation (CWE-20) |
Security feature bypass |
Moderate | 4.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N |
CVE-2024-36226 |
| Improper Input Validation (CWE-20) |
Arbitrary code execution |
Moderate | 4.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N |
CVE-2024-41839 |
| Improper Input Validation (CWE-20) |
Security feature bypass |
Moderate | 4.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N |
CVE-2024-41849 |
Updates to Dependencies
| CVE | Dependency |
Vulnerability Impact |
Affected Versions |
| CVE-2024-22243 |
Spring Framework |
Open Redirect |
AEM CS AEM 6.5.20.0 and earlier |
Note:
If a customer is using Apache httpd in a proxy with a non-default configuration, they may be impacted by CVE-2023-25690 - please read more here: https://httpd.apache.org/security/vulnerabilities_24.html
Acknowledgments
Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:
- Lorenzo Pirondini -- CVE-2024-26036, CVE-2024-26037, CVE-2024-26039, CVE-2024-26053, CVE-2024-26057, CVE-2024-26058, CVE-2024-26072, CVE-2024-26074, CVE-2024-26075, CVE-2024-26077, CVE-2024-26078, CVE-2024-26081, CVE-2024-26082, CVE-2024-26083, CVE-2024-26085, CVE-2024-26089, CVE-2024-26090, CVE-2024-26091, CVE-2024-26054, CVE-2024-26055, CVE-2024-26086, CVE-2024-36172, CVE-2024-36181, CVE-2024-36182, CVE-2024-36183, CVE-2024-36185, CVE-2024-36186, CVE-2024-36187, CVE-2024-36188, CVE-2024-36189, CVE-2024-36190, CVE-2024-36192, CVE-2024-36193, CVE-2024-36194, CVE-2024-36195, CVE-2024-36196, CVE-2024-36197, CVE-2024-36220, CVE-2024-36222, CVE-2024-36223, CVE-2024-36224, CVE-2024-36228, CVE-2024-36229, CVE-2024-36230, CVE-2024-36231, CVE-2024-36233, CVE-2024-36234, CVE-2024-36235, CVE-2024-36236, CVE-2024-36238, CVE-2024-36239, CVE-2024-34128, CVE-2024-41843, CVE-2024-41844, CVE-2024-41845
- Jim Green (green-jam) -- CVE-2024-26029, CVE-2024-26066, CVE-2024-26068, CVE-2024-26070, CVE-2024-26071, CVE-2024-26088, CVE-2024-26092, CVE-2024-2609, CVE-2024-26095, CVE-2024-26110, CVE-2024-26111, CVE-2024-26113, CVE-2024-26114, CVE-2024-26115, CVE-2024-26116, CVE-2024-26117, CVE-2024-26121, CVE-2024-26123, CVE-2024-20769, CVE-2024-20784, CVE-2024-26060, CVE-2024-34119, CVE-2024-34120, CVE-2024-36141, CVE-2024-36142, CVE-2024-36143, CVE-2024-36144, CVE-2024-36146, CVE-2024-36147, CVE-2024-36148, CVE-2024-36149, CVE-2024-36150, CVE-2024-36151, CVE-2024-36152, CVE-2024-36153, CVE-2024-36154, CVE-2024-36155, CVE-2024-36156, CVE-2024-36157, CVE-2024-36158, CVE-2024-36159, CVE-2024-36160, CVE-2024-36161, CVE-2024-36162, CVE-2024-36163, CVE-2024-36164, CVE-2024-36165, CVE-2024-36166, CVE-2024-36167, CVE-2024-36168, CVE-2024-36169, CVE-2024-36170, CVE-2024-36171, CVE-2024-36173, CVE-2024-36174, CVE-2024-36175, CVE-2024-36176, CVE-2024-36177, CVE-2024-36178, CVE-2024-36179, CVE-2024-36180, CVE-2024-36184, CVE-2024-36191, CVE-2024-36198, CVE-2024-36199, CVE-2024-36200, CVE-2024-36201, CVE-2024-36202, CVE-2024-36203, CVE-2024-36204, CVE-2024-36205, CVE-2024-36206, CVE-2024-36207, CVE-2024-36208, CVE-2024-36209, CVE-2024-36210, CVE-2024-36211, CVE-2024-36212, CVE-2024-36213, CVE-2024-36214, CVE-2024-36215, CVE-2024-36216, CVE-2024-36217, CVE-2024-36218, CVE-2024-36219, CVE-2024-36221, CVE-2024-36225, CVE-2024-34141, CVE-2024-34142, CVE-2024-41841, CVE-2024-41846, CVE-2024-41847, CVE-2024-41848, CVE-2024-41875, CVE-2024-41876
- Akshay Sharma (anonymous_blackzero) -- CVE-2024-26049, CVE-2024-26126, CVE-2024-26127, CVE-2024-36226, CVE-2024-36232, CVE-2024-41849
NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.
Revisions
August 20, 2024 - added CVE-2024-41841, CVE-2024-41842, CVE-2024-41843, CVE-2024-41844, CVE-2024-41845, CVE-2024-41846, CVE-2024-41847, CVE-2024-41848, CVE-2024-41849, CVE-2024-41875, CVE-2024-41876
July 22, 2024 - added CVE-2024-34128 and CVE-2024-41839
June 25, 2024 - Updated Dependencies
June 19, 2024 - added CVE-2024-34141 and CVE-2024-34142
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.
Adobe MAX
The Creativity Conference
Oct 14–16 Miami Beach and online
Adobe MAX
The Creativity Conference
Oct 14–16 Miami Beach and online