Adobe has released security updates to address twelve critical vulnerabilities that could make it possible for attackers to execute arbitrary code on devices running vulnerable versions of Adobe InDesign, Adobe Framemaker, and Adobe Experience Manager.
The rest of the total of 18 security flaws patched today are important severity bugs that could lead to arbitrary JavaScript execution in the browser via stored cross-site scripting vulnerabilities or disclosure of sensitive information via execution with unnecessary privileges.
These important severity vulnerabilities were all found in the Adobe Experience Manager (AEM) and the AEM Forms add-on package, and they affect devices on all platforms running unpatched software versions.
Adobe advises customers to update the vulnerable apps to the latest versions as soon as possible to block attacks attempting to exploit unpatched installations.
APSB20-52 Security Update Available for Adobe InDesign
Adobe has released security updates for Adobe InDesign for macOS that fix a memory corruption bugs reported by Kexu Wang of Fortinet’s FortiGuard that could lead to arbitrary code execution in the context of the current user.
macOS users should install Adobe InDesign 15.1.2 to fix these five critical vulnerabilities.
| Vulnerability Category | Vulnerability Impact | Severity | CVE Number |
|---|---|---|---|
| Memory Corruption | Arbitrary Code Execution | Critical | CVE-2020-9727 CVE-2020-9728 CVE-2020-9729 CVE-2020-9730 CVE-2020-9731 |
APSB20-54 Security Updates Available for Adobe Framemaker
Adobe has published security updates for Adobe Framemaker to patch out-of-bounds read and stack-based buffer overflow issues that may lead to arbitrary code execution in the context of the current user if successfully exploited on Windows devices.
Users are advised to install Adobe Framemaker 2019.0.7 immediately to fix these critical severity flaws.
| Vulnerability Category | Vulnerability Impact | Severity | CVE Numbers |
| Out-of-Bounds Read | Arbitrary code execution | Critical | CVE-2020-9726 |
| Stack-based Buffer Overflow | Arbitrary code execution | Critical | CVE-2020-9725 |
Also read: Website Ownership Laws: Your Rights And What It Protects
APSB20-56 Security updates available for Adobe Experience Manager
Adobe has issued updates for Adobe Experience Manager and the AEM Forms add-on that fix stored and reflected cross-site scripting bugs, as well as HTML injection and execution with unnecessary privileges issues that could lead to arbitrary JavaScript execution, arbitrary HTML injection in the browser, and sensitive information disclosure.
Users should install Adobe Experience Manager 6.5.6.0 or 6.4.8.2 and AEM Forms add-on Service Pack 6 to patch these security vulnerabilities.
| Vulnerability Category | Vulnerability Impact | Severity | CVE Number | Affected Versions |
| Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Critical | CVE-2020-9732 | AEM Forms SP5 and earlier |
| Execution with Unnecessary Privileges | Sensitive Information Disclosure | Important | CVE-2020-9733 | AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlier |
| Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Critical | CVE-2020-9734 | AEM Forms SP5 and earlier |
| Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Important | CVE-2020-9735 | AAEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlierAEM 6.2 SP1-CFP20 and earlier |
| Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Important | CVE-2020-9736 | AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlierAEM 6.2 SP1-CFP20 and earlier |
| Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Important | CVE-2020-9737 | AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlierAEM 6.2 SP1-CFP20 and earlier |
| Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Important | CVE-2020-9738 | AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlierAEM 6.2 SP1-CFP20 and earlier |
| Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Critical | CVE-2020-9740 | AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlierAEM 6.2 SP1-CFP20 and earlier |
| Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Critical | CVE-2020-9741 | AEM Forms SP5 and earlier |
| Cross-site scripting (reflected) | Arbitrary JavaScript execution in the browser | Critical | CVE-2020-9742 | AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlier |
| HTML injection | Arbitrary HTML injection in the browser | Important | CVE-2020-9743 | AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlierAEM 6.2 SP1-CFP20 and earlier |
Also read: 5 Self Assessment Tools To Find The Right Professional Fit
Established in 2018, Privacy Ninja is a Singapore-based IT security company specialising in data protection and cybersecurity solutions for businesses. We offer services like vulnerability assessments, penetration testing, and outsourced Data Protection Officer support, helping organisations comply with regulations and safeguard their data.
Singapore
7 Temasek Boulevard,
#12-07, Suntec Tower One,
Singapore 038987
