CVE-2025-46847 in Experience Manager
Summary
by MITRE • 06/11/2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/13/2025
Adobe Experience Manager suffers from a critical stored cross-site scripting vulnerability that allows low privilege attackers to inject malicious javascript code into form fields within the application. This vulnerability exists in versions 6.5.22 and earlier, creating a persistent security risk where injected scripts remain stored on the server and execute whenever users access the affected pages. The flaw occurs in the form handling mechanism where user input is not properly sanitized or validated before being rendered back to users, enabling attackers to embed malicious payloads that can persist across multiple user sessions.
The technical implementation of this vulnerability stems from inadequate input validation and output encoding mechanisms within the AEM content management system. When users submit data through forms, the system fails to sufficiently sanitize the input data, particularly in fields that are later rendered in web pages without proper contextual encoding. This creates an environment where attackers can submit javascript payloads that are then executed in the context of other users' browsers. The stored nature of this vulnerability means that the malicious code remains active on the server until manually removed, providing attackers with persistent access to victim sessions.
The operational impact of this vulnerability is significant as it enables attackers to perform various malicious activities including session hijacking, credential theft, and data exfiltration. Low privilege attackers who can submit content through forms gain the ability to compromise higher privilege users who view the affected pages. The vulnerability can be exploited to steal session cookies, redirect users to malicious sites, or execute arbitrary commands on victim machines. This poses particular risk in enterprise environments where AEM is used for content management and user interaction, as it can lead to complete system compromise through social engineering or automated exploitation techniques.
Mitigation strategies should focus on immediate patching of affected AEM versions to 6.5.23 or later, which contain the necessary security fixes. Organizations should implement comprehensive input validation and output encoding mechanisms to prevent malicious data from being stored or executed. Regular security scanning and penetration testing should be conducted to identify similar vulnerabilities in other applications. Additionally, implementing content security policies and disabling unnecessary form submission capabilities can reduce the attack surface. This vulnerability aligns with CWE-79 which addresses cross-site scripting flaws and maps to ATT&CK technique T1566 for social engineering attacks that leverage web-based exploits.