CVE-2025-46931 in Experience Managerinfo

Summary

by MITRE • 06/11/2025

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/13/2025

Adobe Experience Manager suffers from a critical stored cross-site scripting vulnerability that allows low-privileged attackers to inject malicious javascript code into form fields within the application. This vulnerability exists in versions 6.5.22 and earlier, representing a significant security flaw that could be exploited to compromise user sessions and execute unauthorized commands. The vulnerability stems from inadequate input validation and output encoding mechanisms within the form processing components, specifically affecting how user-supplied data is handled when stored and subsequently rendered back to users.

The technical implementation of this flaw involves the application's failure to properly sanitize user input before storing it in the backend database or content repository. When administrators or users view forms containing malicious payloads, the stored script executes in the context of the victim's browser session. This creates a persistent threat where attackers can embed malicious code in form fields that remain active until explicitly removed by system administrators. The vulnerability is particularly dangerous because it requires minimal privileges to exploit, making it accessible to users who should not have the ability to inject malicious code into the system.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to perform session hijacking, steal sensitive user credentials, and potentially escalate privileges within the application. Attackers can leverage this vulnerability to create persistent backdoors or redirect users to malicious sites that can harvest additional sensitive information. The stored nature of the vulnerability means that once injected, malicious scripts remain active until manually removed, creating long-term exposure for affected organizations. This flaw directly violates security principles outlined in cwe-79 which addresses cross-site scripting vulnerabilities, and aligns with attack patterns described in the attack tree framework for web application exploitation.

Organizations utilizing affected Adobe Experience Manager versions should implement immediate mitigations including comprehensive input validation, output encoding, and regular security audits of form fields and user input handling mechanisms. System administrators should also consider implementing web application firewalls and content security policies to prevent exploitation of this vulnerability. The recommended remediation approach includes upgrading to supported versions of Adobe Experience Manager where this vulnerability has been addressed through proper input sanitization and output encoding controls. Additionally, organizations should conduct thorough vulnerability assessments to identify any existing malicious payloads that may have been injected through this vulnerability and establish monitoring procedures to detect similar exploitation attempts in the future.

Responsible

Adobe

Reservation

04/30/2025

Disclosure

06/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00275

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!