CVE-2025-46915 in Experience Managerinfo

Summary

by MITRE • 06/11/2025

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/11/2025

Adobe Experience Manager versions 6.5.22 and earlier contain a critical stored cross-site scripting vulnerability that represents a significant security risk for organizations relying on this content management platform. This vulnerability falls under the CWE-79 category of Cross-Site Scripting, specifically classified as a stored XSS flaw that allows attackers to inject malicious scripts into form fields that are subsequently stored and executed when other users view the affected content. The vulnerability is particularly concerning because it requires only low privileged user access to exploit, making it accessible to individuals who may not have administrative privileges within the system.

The technical implementation of this vulnerability stems from inadequate input validation and output encoding mechanisms within the form processing components of Adobe Experience Manager. When users submit data through vulnerable form fields, the system fails to properly sanitize or encode the input before storing it in the database or content repository. This allows malicious actors to embed JavaScript payloads that persist in the system and execute whenever legitimate users interact with the affected pages. The stored nature of this vulnerability means that the malicious code remains active even after the initial injection, potentially affecting multiple users over extended periods.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to perform various malicious activities including session hijacking, credential theft, data exfiltration, and redirection to malicious websites. Attackers can leverage this vulnerability to steal user sessions, access sensitive information, or manipulate the content management system to further their objectives. The low privilege requirement makes this attack vector particularly dangerous because it can be exploited by insiders or compromised users with minimal access rights, potentially escalating to more severe attacks within the organization's digital infrastructure.

Organizations utilizing Adobe Experience Manager versions 6.5.22 or earlier should immediately implement mitigations including comprehensive input validation, output encoding, and regular security audits of form processing components. The recommended approach involves upgrading to patched versions of Adobe Experience Manager as soon as possible, implementing web application firewalls with XSS detection capabilities, and conducting thorough security testing of all form fields and content submission points. Additionally, organizations should consider implementing content security policies and monitoring for suspicious input patterns to detect potential exploitation attempts. This vulnerability aligns with ATT&CK technique T1566.001 for initial access through malicious inputs and T1059.007 for command and script injection, making it a critical target for both defensive and offensive security teams to address through comprehensive remediation strategies.

Responsible

Adobe

Reservation

04/30/2025

Disclosure

06/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00275

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!