CVE-2025-46905 in Experience Managerinfo

Summary

by MITRE • 06/11/2025

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/11/2025

Adobe Experience Manager represents a comprehensive digital experience platform that serves as a content management system for enterprises to build and manage web applications. The platform's architecture includes various form handling mechanisms that process user input through web interfaces. This stored cross-site scripting vulnerability exists within the form processing components of Adobe Experience Manager versions 6.5.22 and earlier, creating a persistent security weakness that allows malicious actors to inject malicious scripts into form fields that are subsequently stored and rendered to other users. The vulnerability stems from insufficient input validation and output encoding mechanisms within the platform's form handling subsystem, where user-supplied data is not properly sanitized before being stored in the system's database or content repository.

The technical flaw manifests when low privilege users can submit form data containing malicious javascript payloads through accessible form fields. These payloads are stored within the application's data storage system and executed whenever other users view the affected pages containing the vulnerable form fields. The stored nature of this vulnerability means that the malicious script persists beyond the initial submission, making it particularly dangerous as it can affect multiple users over time. The vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws, and aligns with ATT&CK technique T1531 which covers credential access through web application vulnerabilities. The attack vector requires minimal privileges and leverages the platform's legitimate form processing capabilities to execute malicious code in the victim's browser context, potentially leading to session hijacking, data exfiltration, or further exploitation of the victim's browser.

The operational impact of this vulnerability extends beyond simple script execution as it creates a persistent backdoor for attackers to compromise user sessions and access sensitive information. When exploited, the malicious JavaScript can steal user credentials, modify content, redirect users to malicious sites, or perform actions on behalf of the victim within the application context. This vulnerability particularly affects organizations using Adobe Experience Manager for collaborative environments where multiple users interact with shared content, as the stored nature of the vulnerability means that any user who views the affected content becomes a potential victim. The low privilege requirement for exploitation makes this vulnerability especially dangerous in environments where user access controls are not properly enforced, as attackers can leverage this weakness to escalate their privileges through session manipulation or credential theft.

Organizations should immediately implement mitigations including input validation and output encoding for all form fields, regular security updates to Adobe Experience Manager to version 6.5.23 or later, and comprehensive user access controls to limit form submission capabilities. The implementation of Content Security Policy headers should be enforced to prevent execution of unauthorized scripts, while regular security scanning of form processing components should be conducted. Additionally, organizations should consider implementing web application firewalls to detect and block malicious payload submissions, and conduct regular security training for administrators to recognize potential exploitation attempts. The vulnerability demonstrates the critical importance of proper input sanitization and output encoding in web applications, as highlighted by industry standards such as the OWASP Top Ten Project which consistently ranks cross-site scripting as one of the most critical web application security risks. Organizations should also implement monitoring solutions to detect unusual form submission patterns that may indicate exploitation attempts, and maintain regular vulnerability assessments of their Adobe Experience Manager installations to identify similar weaknesses in the platform's configuration or custom extensions.

Responsible

Adobe

Reservation

04/30/2025

Disclosure

06/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00300

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!