CVE-2025-46847 in Experience Managerinfo

Summary

by MITRE • 06/11/2025

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/13/2025

Adobe Experience Manager suffers from a critical stored cross-site scripting vulnerability that allows low privilege attackers to inject malicious javascript code into form fields within the application. This vulnerability exists in versions 6.5.22 and earlier, creating a persistent security risk where injected scripts remain stored on the server and execute whenever users access the affected pages. The flaw occurs in the form handling mechanism where user input is not properly sanitized or validated before being rendered back to users, enabling attackers to embed malicious payloads that can persist across multiple user sessions.

The technical implementation of this vulnerability stems from inadequate input validation and output encoding mechanisms within the AEM content management system. When users submit data through forms, the system fails to sufficiently sanitize the input data, particularly in fields that are later rendered in web pages without proper contextual encoding. This creates an environment where attackers can submit javascript payloads that are then executed in the context of other users' browsers. The stored nature of this vulnerability means that the malicious code remains active on the server until manually removed, providing attackers with persistent access to victim sessions.

The operational impact of this vulnerability is significant as it enables attackers to perform various malicious activities including session hijacking, credential theft, and data exfiltration. Low privilege attackers who can submit content through forms gain the ability to compromise higher privilege users who view the affected pages. The vulnerability can be exploited to steal session cookies, redirect users to malicious sites, or execute arbitrary commands on victim machines. This poses particular risk in enterprise environments where AEM is used for content management and user interaction, as it can lead to complete system compromise through social engineering or automated exploitation techniques.

Mitigation strategies should focus on immediate patching of affected AEM versions to 6.5.23 or later, which contain the necessary security fixes. Organizations should implement comprehensive input validation and output encoding mechanisms to prevent malicious data from being stored or executed. Regular security scanning and penetration testing should be conducted to identify similar vulnerabilities in other applications. Additionally, implementing content security policies and disabling unnecessary form submission capabilities can reduce the attack surface. This vulnerability aligns with CWE-79 which addresses cross-site scripting flaws and maps to ATT&CK technique T1566 for social engineering attacks that leverage web-based exploits.

Responsible

Adobe

Reservation

04/30/2025

Disclosure

06/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00282

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!