Adobe Experience Manager, InDesign, Framemaker receive fixes for critical bugs in new update

The worst issues can lead to code and browser-based JavaScript execution.
Written by Charlie Osborne, Contributing Writer

Adobe's latest round of security updates fixes severe bugs in Experience Manager, InDesign, and Framemaker. 

The largest patch tackles Adobe Experience Manager (AEM) versions,, and earlier, as well as 6.2 SP1-CFP20 and earlier. Versions of the AEM Forms add-on package Service Pack 5 and earlier are also affected. 

Five critical vulnerabilities, including reflected and stored cross-site scripting issues, have been resolved in AEM. The bugs are tracked as CVE-2020-9732, CVE-2020-9734, CVE-2020-9740, CVE-2020-9741, and CVE-2020-9742. 

Two of the security issues, CVE-2020-9732 and CVE-2020-9734, specifically relate to the Forms service pack. 

Each security flaw, if left unpatched, can lead to arbitrary JavaScript execution in the browser.

See also: Microsoft: We're ending support for Adobe Flash, here's how

Six other bugs, deemed important, have also been resolved in AEM. CVE-2020-9733 is described as an "execution with unnecessary privileges" issue that can lead to information disclosure if abused, whereas CVE-2020-9743 is a browser-based arbitrary HTML injection vulnerability. 

In addition, CVE-2020-9735, CVE-2020-9736, CVE-2020-9737, and CVE-2020-9738 are stored cross-site scripting security flaws that can lead to arbitrary JavaScript execution in a browser.

Adobe has also updated a range of software dependencies, including Handlebars.js, Lodash.js, Log4j, and Dom4j. 

In this month's security round, the software giant has patched a total of five vulnerabilities in Adobe InDesign. The bugs, impacting versions 15.1.1 and below, "could lead to arbitrary code execution in the context of the current user," according to Adobe. 

Each security issue -- CVE-2020-9727, CVE-2020-9728, CVE-2020-9729, CVE-2020-9730, and CVE-2020-9731 -- is described as a memory corruption flaw.

Adobe Framemaker, a document processor for large documents, has also received a security update. Two critical vulnerabilities, an out-of-bounds read and stack-based buffer overflow issue (CVE-2020-9726, CVE-2020-9725), could lead to arbitrary code execution if exploited. 

CNET: 5 online cybersecurity courses to help you become a pro and explore a new job

"While none of the vulnerabilities disclosed in Adobe's release are known to be actively attacked today, all patches should be prioritized on systems with these products installed," says Jimmy Graham, Senior Director of Product Management at Qualys. 

The tech giant thanked researchers from Trend Micro and Fortinet's FortiGuard Labs for disclosing some of the security issues. 

Adobe's last security patch, issued in September, tackled 26 critical and important bugs in Acrobat and Reader. In total, 11 could be used in remote code execution attack chains. 

TechRepublic: How SMBs are overcoming key challenges in cybersecurity

Adobe Flash has been a frequent entrant to security update lists for many years. Microsoft, Adobe, Apple, Facebook, Google, and Mozilla intend to end support for the software by the end of 2020, and earlier this week, Microsoft clarified its timeline for removing Flash support for Microsoft Edge and Internet Explorer 11. After this time, Adobe will also no longer issue security fixes for the software. 

In related news, Microsoft's latest round of security fixes resolved 129 vulnerabilities across 15 products, including 20 critical remote code execution flaws. 

The worst IoT, smart home hacks of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards