CVE-2025-46933 in Experience Managerinfo

Summary

by MITRE • 06/11/2025

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/13/2025

Adobe Experience Manager versions 6.5.22 and earlier contain a critical stored cross-site scripting vulnerability that represents a significant security risk for organizations relying on this content management platform. This vulnerability falls under the CWE-79 category of Cross-Site Scripting and aligns with ATT&CK technique T1190 for Exploit Public-Facing Application. The flaw specifically affects form fields within the AEM interface where user input is not properly sanitized or validated before being stored and subsequently rendered back to users. Attackers with low privilege access can exploit this weakness by injecting malicious JavaScript code into form fields that are later displayed to other users. The stored nature of this vulnerability means that the malicious payload persists in the application's database and executes each time the affected page is accessed, making it particularly dangerous for widespread impact.

The operational impact of this vulnerability extends beyond simple script execution as it creates a persistent threat vector that can be leveraged for various malicious activities. An attacker could inject scripts to steal session cookies, redirect users to malicious websites, perform actions on behalf of authenticated users, or even establish persistent backdoors within the application. The low privilege requirement for exploitation makes this vulnerability particularly concerning as it can be exploited by users with minimal access rights, potentially escalating to more severe attacks. This weakness directly undermines the integrity of the application's user interface and can compromise the confidentiality and availability of sensitive information processed through the AEM platform.

Organizations utilizing affected Adobe Experience Manager versions should implement immediate mitigations to protect their systems from potential exploitation. The primary defense mechanism involves implementing comprehensive input validation and output encoding for all user-supplied data entering the application. This includes implementing proper sanitization of form fields and ensuring that all stored content is properly escaped before rendering in web pages. Organizations should also consider implementing Content Security Policy headers to limit script execution capabilities and restrict the sources from which scripts can be loaded. Additionally, privilege escalation controls should be reviewed and strengthened to limit the potential damage from low privilege accounts. The vulnerability demonstrates the importance of regular security patching and proper security testing of web applications, particularly those handling user input through form interfaces. Organizations should also consider implementing web application firewalls and monitoring solutions to detect and prevent exploitation attempts, as the stored nature of the vulnerability means that detection may be delayed until the malicious code is actually executed in a victim's browser environment.

Responsible

Adobe

Reservation

04/30/2025

Disclosure

06/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00300

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!