Adobe has released security updates to address twelve critical vulnerabilities that could make it possible for attackers to execute arbitrary code on devices running vulnerable versions of Adobe InDesign, Adobe Framemaker, and Adobe Experience Manager.
The rest of the total of 18 security flaws patched today are important severity bugs that could lead to arbitrary JavaScript execution in the browser via stored cross-site scripting vulnerabilities or disclosure of sensitive information via execution with unnecessary privileges.
These important severity vulnerabilities were all found in the Adobe Experience Manager (AEM) and the AEM Forms add-on package, and they affect devices on all platforms running unpatched software versions.
If you have a Chromebook that supports Play Store apps, you may be able to download and use six Adobe apps for free, from Photoshop to Illustrator. Starting this month, Adobe is offering six free.
- Students and teachers are eligible for over 60% discount on Adobe Creative Cloud. Get access to Photoshop, Illustrator, InDesign, Premiere Pro and more.
- Installing for the first time or on a new computer? Click Get InDesign below to begin downloading. Follow the onscreen instructions to sign-in and install. If this is your first time installing a Creative Cloud app, the Creative Cloud desktop app installs as well.
- Adobe InDesign The industry-leading page design and layout app has everything you need to craft elegant layouts for print and digital media including posters, books, digital magazines, eBooks, interactive PDFs, and more.
- InDesign is a typesetting and desktop publishing software tool developed by Adobe. It helps you to create flyers, posters, brochures, books, newspapers, magazines, and more. However, InDesign has some limitations like editing mathematic equations or formula is difficult.
Adobe advises customers to update the vulnerable apps to the latest versions as soon as possible to block attacks attempting to exploit unpatched installations.
APSB20-52 Security Update Available for Adobe InDesign
Adobe has released security updates for Adobe InDesign for macOS that fix a memory corruption bugs reported by Kexu Wang of Fortinet's FortiGuard that could lead to arbitrary code execution in the context of the current user.
macOS users should install Adobe InDesign 15.1.2 to fix these five critical vulnerabilities.
Vulnerability Category | Vulnerability Impact | Severity | CVE Number |
---|---|---|---|
Memory Corruption | Arbitrary Code Execution | Critical | CVE-2020-9727 CVE-2020-9728 CVE-2020-9729 CVE-2020-9730 CVE-2020-9731 |
APSB20-54 Security Updates Available for Adobe Framemaker
Adobe has published security updates for Adobe Framemaker to patch out-of-bounds read and stack-based buffer overflow issues that may lead to arbitrary code execution in the context of the current user if successfully exploited on Windows devices.
Users are advised to install Adobe Framemaker 2019.0.7 immediately to fix these critical severity flaws.
Vulnerability Category | Vulnerability Impact | Severity | CVE Numbers |
Out-of-Bounds Read | Arbitrary code execution | Critical | CVE-2020-9726 |
Stack-based Buffer Overflow | Arbitrary code execution | Critical | CVE-2020-9725 |
APSB20-56 Security updates available for Adobe Experience Manager
Adobe has issued updates for Adobe Experience Manager and the AEM Forms add-on that fix stored and reflected cross-site scripting bugs, as well as HTML injection and execution with unnecessary privileges issues that could lead to arbitrary JavaScript execution, arbitrary HTML injection in the browser, and sensitive information disclosure.
Users should install Adobe Experience Manager 6.5.6.0 or 6.4.8.2 and AEM Forms add-on Service Pack 6 to patch these security vulnerabilities.
Vulnerability Category | Vulnerability Impact | Severity | CVE Number | Affected Versions |
Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Critical | CVE-2020-9732 | AEM Forms SP5 and earlier |
Execution with Unnecessary Privileges | Sensitive Information Disclosure | Important | CVE-2020-9733 | AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier |
Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Critical | CVE-2020-9734 | AEM Forms SP5 and earlier |
Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Important | CVE-2020-9735 | AAEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier |
Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Important | CVE-2020-9736 | AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier |
Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Important | CVE-2020-9737 | AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier |
Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Important | CVE-2020-9738 | AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier |
Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Critical | CVE-2020-9740 | AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier |
Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Critical | CVE-2020-9741 | AEM Forms SP5 and earlier |
Cross-site scripting (reflected) | Arbitrary JavaScript execution in the browser | Critical | CVE-2020-9742 | AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier |
HTML injection | Arbitrary HTML injection in the browser | Important | CVE-2020-9743 | AEM 6.5.5.0 and earlier AEM 6.4.8.1 and earlier AEM 6.3.3.8 and earlier AEM 6.2 SP1-CFP20 and earlier |