Including Adobe Experience Manager, Adobe fixed 18 flaws as part of its regularly scheduled September updates. It also addressed flaws in Adobe Framemaker, its document-processor designed for writing and editing large or complex documents; and InDesign, its desktop publishing and typesetting software application.
“The impact of any exploitation of these vulnerabilities, no matter their criticality, could open any organization up to the release of private information, easy lateral movement through a network, or the hijacking of critical information all due to the heavy use of these tools in marketing and its unfettered access to critical information,” said Richard Melick, senior technical product manager at Automox, in an email. “It is important to patch these vulnerabilities as soon as possible.”
Click to Register
Adobe patched 11 bugs overall in its Experience Manager; five of those are rated critical severity, and the rest are “important” severity. The critical flaws are all XSS glitches (CVE-2020-9732, CVE-2020-9742, CVE-2020-9741, CVE-2020-9740 and CVE-2020-9734).
The five important-severity flaws include an issue allowing for execution with unnecessary privileges, leading to sensitive information disclosure (CVE-2020-9733), four cross site scripting flaws (CVE-2020-9735, CVE-2020-9736, CVE-2020-9737, CVE-2020-9738) and an HTML injection glitch (CVE-2020-9743) allowing arbitrary HTML injection in the browser.
Below is a list of affected product solutions; fixes are available in version 184.108.40.206 and version 220.127.116.11 (as well as AEM Forms Service Pack 6 for AEM forms add-on users).
The update for Adobe Experience Manager received a “priority 2,” meaning it resolves flaws in a product that has “historically been at elevated risk” – but for which there is no known exploits.
“Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days),” according to Adobe.