Adobe fixes critical flaws in Adobe InDesign, Framemaker, and Experience Manager

Adobe has released security updates to address 12 critical vulnerabilities in Adobe InDesign, Adobe Framemaker, and Adobe Experience Manager.

Adobe has released security updates to address twelve critical vulnerabilities that could be exploited by attackers to execute arbitrary code on systems running vulnerable versions of Adobe InDesign, Adobe Framemaker, and Adobe Experience Manager.

“Adobe has published security bulletins for Adobe InDesign (APSB20-52), Adobe Framemaker (APSB20-54) and Adobe Experience Manager (APSB20-56). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin.” reads the advisory published by the company.

The company also addressed important severity 18 security vulnerabilities in the Adobe Experience Manager (AEM) and the AEM Forms add-on package that could lead to arbitrary JavaScript execution in the browser via stored cross-site scripting vulnerabilities or disclosure of sensitive information via execution with unnecessary privileges.

APSB20-52 Security Update Available for Adobe InDesign

Adobe addressed memory corruption flaws in Adobe InDesign for macOS that could lead to arbitrary code execution in the context of the current user.

“Adobe has released a security update for Adobe InDesign.  This update addresses multiple critical vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user. ” reads the advisory.

The flaws were reported by Kexu Wang from Fortinet’s FortiGuard, the company released Adobe InDesign for macOS version 15.1.2 to address the following vulnerabilities:

Vulnerability CategoryVulnerability ImpactSeverityCVE NumberMemory Corruption Arbitrary Code ExecutionCriticalCVE-2020-9727CVE-2020-9728CVE-2020-9729CVE-2020-9730CVE-2020-9731     APSB20-54 Security Updates Available for Adobe Framemaker

Adobe has addressed out-of-bounds read and stack-based buffer overflow vulnerabilities in Adobe Framemaker that may lead to arbitrary code execution in the context of the current user on Windows devices.

The company addressed the following issues with the release of Adobe Framemaker 2019.0.7:

Vulnerability CategoryVulnerability ImpactSeverityCVE NumbersOut-of-Bounds Read Arbitrary code executionCriticalCVE-2020-9726 Stack-based Buffer Overflow Arbitrary code executionCriticalCVE-2020-9725APSB20-56 Security updates available for Adobe Experience Manager

Adobe addressed stored and reflected cross-site scripting vulnerabilities, as well as HTML injection and execution with unnecessary privileges issues, in Adobe Experience Manager and the AEM Forms add-on. The vulnerabilities could lead to arbitrary JavaScript execution, arbitrary HTML injection in the browser, and sensitive information disclosure.

“Adobe has released updates for Adobe Experience Manager (AEM) and the AEM Forms add-on package. These updates resolve vulnerabilities rated Critical and Important.  Successful exploitation of these vulnerabilities could result in arbitrary JavaScript execution in the browser.” reads the advisory.

The issues have been released with the release of Adobe Experience Manager 6.5.6.0 or 6.4.8.2 and AEM Forms add-on Service Pack 6. Below the list of fixed issues:

Vulnerability CategoryVulnerability ImpactSeverityCVE NumberAffected VersionsCross-site scripting (stored)Arbitrary JavaScript execution in the browserCriticalCVE-2020-9732AEM Forms SP5 and earlierExecution with Unnecessary PrivilegesSensitive Information DisclosureImportantCVE-2020-9733AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierCross-site scripting (stored)Arbitrary JavaScript execution in the browserCriticalCVE-2020-9734AEM Forms SP5 and earlierCross-site scripting (stored)Arbitrary JavaScript execution in the browserImportantCVE-2020-9735AAEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlierAEM 6.2 SP1-CFP20 and earlierCross-site scripting (stored)Arbitrary JavaScript execution in the browserImportantCVE-2020-9736AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlierAEM 6.2 SP1-CFP20 and earlierCross-site scripting (stored)Arbitrary JavaScript execution in the browserImportantCVE-2020-9737AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlierAEM 6.2 SP1-CFP20 and earlierCross-site scripting (stored)Arbitrary JavaScript execution in the browserImportantCVE-2020-9738AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlierAEM 6.2 SP1-CFP20 and earlierCross-site scripting (stored)Arbitrary JavaScript execution in the browserCriticalCVE-2020-9740AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlierAEM 6.2 SP1-CFP20 and earlierCross-site scripting (stored)Arbitrary JavaScript execution in the browserCriticalCVE-2020-9741AEM Forms SP5 and earlierCross-site scripting (reflected)Arbitrary JavaScript execution in the browserCriticalCVE-2020-9742AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlierHTML injectionArbitrary HTML injection in the browserImportantCVE-2020-9743AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlierAEM 6.2 SP1-CFP20 and earlier

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe InDesign)

The post Adobe fixes critical flaws in Adobe InDesign, Framemaker, and Experience Manager appeared first on Security Affairs.