Adobe fixes critical flaws in Adobe InDesign, Framemaker, and Experience Manager

Pierluigi Paganini September 08, 2020

Adobe has released security updates to address 12 critical vulnerabilities in Adobe InDesign, Adobe Framemaker, and Adobe Experience Manager.

Adobe has released security updates to address twelve critical vulnerabilities that could be exploited by attackers to execute arbitrary code on systems running vulnerable versions of Adobe InDesign, Adobe Framemaker, and Adobe Experience Manager.

“Adobe has published security bulletins for Adobe InDesign (APSB20-52), Adobe Framemaker (APSB20-54) and Adobe Experience Manager (APSB20-56). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin.” reads the advisory published by the company.

The company also addressed important severity 18 security vulnerabilities in the Adobe Experience Manager (AEM) and the AEM Forms add-on package that could lead to arbitrary JavaScript execution in the browser via stored cross-site scripting vulnerabilities or disclosure of sensitive information via execution with unnecessary privileges.

APSB20-52 Security Update Available for Adobe InDesign

Adobe addressed memory corruption flaws in Adobe InDesign for macOS that could lead to arbitrary code execution in the context of the current user.

“Adobe has released a security update for Adobe InDesign.  This update addresses multiple critical vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user. ” reads the advisory.

The flaws were reported by Kexu Wang from Fortinet’s FortiGuard, the company released Adobe InDesign for macOS version 15.1.2 to address the following vulnerabilities:

Vulnerability CategoryVulnerability ImpactSeverityCVE Number
Memory Corruption Arbitrary Code ExecutionCriticalCVE-2020-9727
CVE-2020-9728
CVE-2020-9729
CVE-2020-9730
CVE-2020-9731     

APSB20-54 Security Updates Available for Adobe Framemaker

Adobe has addressed out-of-bounds read and stack-based buffer overflow vulnerabilities in Adobe Framemaker that may lead to arbitrary code execution in the context of the current user on Windows devices.

The company addressed the following issues with the release of Adobe Framemaker 2019.0.7:

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Out-of-Bounds Read Arbitrary code executionCriticalCVE-2020-9726 
Stack-based Buffer Overflow Arbitrary code executionCriticalCVE-2020-9725

APSB20-56 Security updates available for Adobe Experience Manager

Adobe addressed stored and reflected cross-site scripting vulnerabilities, as well as HTML injection and execution with unnecessary privileges issues, in Adobe Experience Manager and the AEM Forms add-on. The vulnerabilities could lead to arbitrary JavaScript execution, arbitrary HTML injection in the browser, and sensitive information disclosure.

“Adobe has released updates for Adobe Experience Manager (AEM) and the AEM Forms add-on package. These updates resolve vulnerabilities rated Critical and Important.  Successful exploitation of these vulnerabilities could result in arbitrary JavaScript execution in the browser.” reads the advisory.

The issues have been released with the release of Adobe Experience Manager 6.5.6.0 or 6.4.8.2 and AEM Forms add-on Service Pack 6. Below the list of fixed issues:

Vulnerability CategoryVulnerability ImpactSeverityCVE NumberAffected Versions
Cross-site scripting (stored)Arbitrary JavaScript execution in the browserCriticalCVE-2020-9732AEM Forms SP5 and earlier
Execution with Unnecessary PrivilegesSensitive Information DisclosureImportantCVE-2020-9733AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlier
Cross-site scripting (stored)Arbitrary JavaScript execution in the browserCriticalCVE-2020-9734AEM Forms SP5 and earlier
Cross-site scripting (stored)Arbitrary JavaScript execution in the browserImportantCVE-2020-9735AAEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlierAEM 6.2 SP1-CFP20 and earlier
Cross-site scripting (stored)Arbitrary JavaScript execution in the browserImportantCVE-2020-9736AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlierAEM 6.2 SP1-CFP20 and earlier
Cross-site scripting (stored)Arbitrary JavaScript execution in the browserImportantCVE-2020-9737AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlierAEM 6.2 SP1-CFP20 and earlier
Cross-site scripting (stored)Arbitrary JavaScript execution in the browserImportantCVE-2020-9738AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlierAEM 6.2 SP1-CFP20 and earlier
Cross-site scripting (stored)Arbitrary JavaScript execution in the browserCriticalCVE-2020-9740AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlierAEM 6.2 SP1-CFP20 and earlier
Cross-site scripting (stored)Arbitrary JavaScript execution in the browserCriticalCVE-2020-9741AEM Forms SP5 and earlier
Cross-site scripting (reflected)Arbitrary JavaScript execution in the browserCriticalCVE-2020-9742AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlier
HTML injectionArbitrary HTML injection in the browserImportantCVE-2020-9743AEM 6.5.5.0 and earlierAEM 6.4.8.1 and earlierAEM 6.3.3.8 and earlierAEM 6.2 SP1-CFP20 and earlier
[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe InDesign)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment