CVE-2025-46903 in Experience Managerinfo

Summary

by MITRE • 06/11/2025

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/11/2025

Adobe Experience Manager suffers from a critical stored cross-site scripting vulnerability that undermines the security of web applications built on this platform. This vulnerability affects versions 6.5.22 and earlier, creating a persistent threat vector that allows attackers to inject malicious scripts into form fields that are subsequently stored and executed. The flaw represents a fundamental breakdown in input validation and output sanitization mechanisms within the AEM framework, enabling attackers to bypass security controls that should prevent malicious code execution.

The technical nature of this vulnerability stems from insufficient sanitization of user-supplied data within form processing components. When users submit data through web forms within AEM applications, the system fails to properly validate or escape special characters that could be interpreted as executable JavaScript code. This stored XSS vulnerability operates by allowing malicious input to be saved in the application's database or storage mechanisms, where it remains dormant until accessed by other users. The vulnerability specifically targets form fields that are rendered in web pages, making it particularly dangerous in content management scenarios where multiple users interact with shared data.

The operational impact of this vulnerability extends beyond simple script execution, as it creates a persistent backdoor for attackers to compromise user sessions and steal sensitive information. Low-privileged attackers can exploit this vulnerability to execute malicious scripts that may harvest cookies, session tokens, or other sensitive data from victim browsers. The stored nature of the vulnerability means that once injected, malicious code remains active until manually removed from the application's data stores, providing attackers with extended persistence capabilities. This vulnerability directly violates the principle of least privilege and undermines the trust model that AEM applications rely upon for secure content management.

Security professionals should prioritize immediate remediation through the application of Adobe's official patches and updates, as the vulnerability affects widely deployed enterprise content management systems. Organizations should implement additional defensive measures including web application firewalls, enhanced input validation, and regular security scanning of AEM applications. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and maps to ATT&CK technique T1566.001 for initial access through malicious content. Regular security awareness training for content authors and administrators becomes critical, as social engineering remains a primary attack vector for exploiting such vulnerabilities in content management systems.

Responsible

Adobe

Reservation

04/30/2025

Disclosure

06/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00300

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!