CVE-2025-46866 in Experience Managerinfo

Summary

by MITRE • 06/11/2025

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/11/2025

Adobe Experience Manager versions 6.5.22 and earlier contain a critical stored cross-site scripting vulnerability that represents a significant security risk for organizations relying on this platform for content management and digital experience delivery. This vulnerability falls under the CWE-79 category of Cross-Site Scripting and specifically manifests as a stored XSS flaw that allows attackers to inject malicious JavaScript code into form fields within the AEM interface. The vulnerability exists due to insufficient input validation and output encoding mechanisms that fail to properly sanitize user-supplied data before rendering it in web pages. Attackers with low privilege access can exploit this weakness by submitting malicious payloads through form fields that are subsequently stored in the system's database and executed whenever other users view the affected content.

The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with a persistent foothold within the AEM environment. When victims browse to pages containing the vulnerable form fields, their browsers execute the injected JavaScript code, potentially leading to session hijacking, credential theft, or redirection to malicious sites. The stored nature of this vulnerability means that the malicious code remains persistent and can affect multiple users over time, making it particularly dangerous for organizations with shared content management systems. This vulnerability directly aligns with ATT&CK technique T1566.001 for credential access through phishing and T1059.001 for command and scripting interpreter, as attackers can leverage the executed scripts to establish further exploitation paths.

Organizations utilizing Adobe Experience Manager versions 6.5.22 and earlier should prioritize immediate remediation through official Adobe security patches and updates. The vulnerability demonstrates the critical importance of input sanitization and output encoding in web applications, particularly those handling user-generated content through form interfaces. Security teams should implement additional monitoring for unusual form submissions and conduct thorough code reviews to identify similar encoding vulnerabilities in custom AEM components. Organizations should also consider implementing web application firewalls and content security policies to provide additional defense-in-depth measures against XSS attacks. The vulnerability highlights the necessity of maintaining up-to-date security practices and regular vulnerability assessments to protect against persistent threats that can compromise entire content management ecosystems.

Responsible

Adobe

Reservation

04/30/2025

Disclosure

06/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00259

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!