Loma  Baumbach

Loma Baumbach

1599707640

Critical Adobe Flaws Allow Attackers to Run JavaScript in Browsers

Adobe has released fixes addressing five critical flaws in its popular Experience Manager content-management solution for building websites, mobile apps and forms. The cross-site scripting (XSS) flaws could allow attackers to execute JavaScript in targets’ browsers.

Including Adobe Experience Manager, Adobe fixed 18 flaws as part of its regularly scheduled September updates. It also addressed flaws in Adobe Framemaker, its document-processor designed for writing and editing large or complex documents; and InDesign, its desktop publishing and typesetting software application.

“The impact of any exploitation of these vulnerabilities, no matter their criticality, could open any organization up to the release of private information, easy lateral movement through a network, or the hijacking of critical information all due to the heavy use of these tools in marketing and its unfettered access to critical information,” said Richard Melick, senior technical product manager at Automox, in an email. “It is important to patch these vulnerabilities as soon as possible.”

Threatpost Webinar Promo Bug Bounty

Click to Register

Adobe patched 11 bugs overall in its Experience Manager; five of those are rated critical severity, and the rest are “important” severity. The critical flaws are all XSS glitches (CVE-2020-9732, CVE-2020-9742, CVE-2020-9741, CVE-2020-9740 and CVE-2020-9734).

“Successful exploitation of these vulnerabilities could result in arbitrary JavaScript execution in the browser,” according to Adobe.

The five important-severity flaws include an issue allowing for execution with unnecessary privileges, leading to sensitive information disclosure (CVE-2020-9733), four cross site scripting flaws (CVE-2020-9735, CVE-2020-9736, CVE-2020-9737, CVE-2020-9738) and an HTML injection glitch (CVE-2020-9743) allowing arbitrary HTML injection in the browser.

Below is a list of affected product solutions; fixes are available in version 6.5.6.0 and version 6.4.8.2 (as well as AEM Forms Service Pack 6 for AEM forms add-on users).

adobe experience manager

The update for Adobe Experience Manager received a “priority 2,” meaning it resolves flaws in a product that has “historically been at elevated risk” – but for which there is no known exploits.

“Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days),” according to Adobe.

#vulnerabilities #web security #adobe #adobe bug #adobe experience manager #adobe framemaker #adobe indesign #adobe patch #browser attack #critical flaw #cross site scripting #html injection flaw #information disclosure #javascript #patch tuesday #xss

Critical Adobe Flaws Allow Attackers to Run JavaScript in Browsers