CVE-2025-46912 in Experience Managerinfo

Summary

by MITRE • 06/11/2025

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/11/2025

Adobe Experience Manager suffers from a critical stored cross-site scripting vulnerability that allows low privileged attackers to inject malicious javascript code into form fields within the application. This vulnerability exists in versions 6.5.22 and earlier, creating a significant security risk for organizations using these older releases. The flaw enables attackers to persistently inject malicious scripts that execute in the context of victim browsers when they navigate to pages containing the compromised form fields.

The technical nature of this vulnerability stems from inadequate input validation and output sanitization within the AEM form processing mechanisms. When users submit data through vulnerable forms, the application fails to properly sanitize or escape the input before storing it in the backend database. This stored data is then later rendered back to users without proper context-aware encoding, creating the classic stored XSS attack vector. The vulnerability specifically affects form fields where user input is processed and displayed, making any content management or user submission functionality potentially exploitable.

The operational impact of this vulnerability is substantial as it allows attackers with minimal privileges to compromise the security of the entire application. A successful exploitation could enable attackers to steal session cookies, perform unauthorized actions on behalf of users, redirect victims to malicious sites, or extract sensitive information from the application. Since AEM is commonly used for enterprise content management and digital experience platforms, the potential attack surface is broad and could affect numerous organizational systems. The stored nature of the vulnerability means that once injected, malicious scripts persist until manually removed, making it particularly dangerous for long-term attacks.

Organizations should immediately upgrade to Adobe Experience Manager versions 6.5.23 or later, which contain patches addressing this vulnerability. Additionally, implementing proper input validation mechanisms, output encoding, and content security policies can help mitigate the risk. The vulnerability aligns with CWE-79 - Cross-site Scripting and follows ATT&CK technique T1531 - Account Access Through Social Engineering, as attackers may use this vulnerability to gain unauthorized access to user sessions and perform malicious activities within the application environment. Regular security assessments and input sanitization testing should be implemented to prevent similar vulnerabilities from emerging in other components of the application stack.

Responsible

Adobe

Reservation

04/30/2025

Disclosure

06/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00300

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!