Adobe Patches 12 Critical Flaws in Experience Manager, InDesign, and Framemaker

Adobe has released patches to correct 18 flaws on September 2020 Patch Tuesday. The flaws exist in Adobe Experience Manager, Adobe InDesign, and Adobe Framemaker. 12 of the vulnerabilities have been rated critical, with the rest rated important.

5 patches have been released to correct critical cross-site scripting vulnerabilities in Adobe Experience Manager (CVE-2020-9732, CVE-2020-9734, CVE-2020-9740, CVE-2020-9741, and CVE-2020-9742). These flaws could allow an attacker to execute malicious JavaScript in victims’ browsers.

Patches have been released to correct 6 important flaws. These are cross-site scripting flaws (CVE-2020-9735, CVE-2020-9736, CVE-2020-9737, CVE-2020-9738), an information disclosure flaw (CVE-2020-9733), and an HTML injection bug (CVE-2020-9743) that allows HTML to be injected in the browser. Adobe does not anticipate any of the Experience Manager flaws will be exploited imminently; however, prompt patching is recommended.

There are patches to correct 5 critical memory corruption vulnerabilities in Adobe InDesign (CVE-2020-9727, CVE-2020-9728, CVE-2020-9729, CVE-2020-9730, and CVE-2020-9731). Exploitation of these flaws could allow remote code execution in the context of the current user. There are no known exploits for the flaws in the public domain, and Adobe In-Design is not typically targeted by hackers, but prompt patching is still recommended.

Two critical flaws exist in Adobe Framemaker; an out-of-bounds read vulnerability (CVE-2020-9726) and a stack-based buffer overflow vulnerability (CVE-2020-9725).  Both of the Adobe Framemaker flaws could allow remote code execution in the context of the current user. As with Adobe Experience Manager and InDesign, this product has not historically been targeted by attackers, so exploitation is not imminent. Patches should however be applied promptly.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of