CVE-2025-46909 in Experience Managerinfo

Summary

by MITRE • 06/11/2025

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/11/2025

Adobe Experience Manager versions 6.5.22 and earlier contain a critical stored cross-site scripting vulnerability that represents a significant threat to web application security. This vulnerability falls under the CWE-79 category for Cross-Site Scripting, specifically manifesting as a stored XSS flaw that allows attackers to inject malicious JavaScript code into form fields within the AEM interface. The vulnerability exists due to insufficient input validation and output encoding mechanisms within the content management system's form processing components.

The technical exploitation of this vulnerability requires a low privileged attacker to submit malicious script content through accessible form fields within the AEM environment. When legitimate users subsequently view pages containing these stored script payloads, the malicious code executes within their browser context, potentially leading to session hijacking, credential theft, or further exploitation of the victim's browser. The stored nature of this vulnerability means that the malicious script persists in the application's database or storage layer, making it particularly dangerous as it can affect multiple users over time without requiring repeated injection attempts.

From an operational impact perspective, this vulnerability compromises the integrity of the Adobe Experience Manager platform and poses risks to both administrator and end-user sessions. Attackers could leverage this flaw to gain unauthorized access to sensitive content management features, manipulate published content, or establish persistent access points within the organization's digital presence. The vulnerability aligns with ATT&CK technique T1566.001 for Phishing and T1566.002 for Spearphishing via Service, as it enables attackers to craft malicious pages that appear legitimate to users within the AEM environment.

Organizations utilizing affected AEM versions should prioritize immediate remediation through official Adobe security patches and updates. Additional mitigations include implementing robust input validation at multiple layers, enforcing strict output encoding for all user-supplied content, and deploying web application firewalls with XSS detection capabilities. Security teams should also conduct comprehensive audits of all form-based input fields within the AEM environment and implement Content Security Policy headers to limit script execution. The vulnerability demonstrates the critical importance of proper sanitization of user inputs in content management systems and highlights the need for continuous security assessment of web application frameworks to prevent exploitation of persistent XSS vulnerabilities.

Responsible

Adobe

Reservation

04/30/2025

Disclosure

06/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00300

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!