CVE-2025-46964 in Experience Managerinfo

Summary

by MITRE • 06/11/2025

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/13/2025

Adobe Experience Manager versions 6.5.22 and earlier contain a stored cross-site scripting vulnerability that represents a significant security risk for organizations relying on this content management platform. This vulnerability falls under the CWE-79 category of Cross-Site Scripting and aligns with the ATT&CK technique T1059.001 for Command and Scripting Interpreter. The flaw exists in the form handling mechanism where user input is not properly sanitized before being stored and subsequently rendered back to users, creating an environment where malicious scripts can persist and execute in the context of victim browsers.

The technical implementation of this vulnerability stems from inadequate input validation and output encoding within the AEM form processing components. When low privileged users submit data through vulnerable form fields, the system fails to properly escape or sanitize the input before storing it in the database or content repository. This stored data is then later retrieved and displayed without appropriate security measures, allowing attackers to inject malicious JavaScript payloads that execute in the browsers of other users who view the affected content. The vulnerability is particularly concerning because it requires minimal privileges to exploit, making it accessible to users who may not have administrative rights.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform various malicious activities including session hijacking, credential theft, data exfiltration, and redirection to malicious websites. An attacker could craft payloads that steal user session cookies, redirect victims to phishing pages, or even execute more sophisticated attacks such as DOM-based XSS or CSRF attacks. The stored nature of the vulnerability means that the malicious scripts persist even after the initial injection, allowing for prolonged exploitation and potentially affecting multiple users over time.

Organizations should implement multiple layers of defense to mitigate this vulnerability including immediate patching of affected AEM instances to versions that address the XSS flaw, implementing comprehensive input validation and output encoding mechanisms, and deploying web application firewalls with XSS detection capabilities. Additionally, security teams should conduct thorough code reviews of custom form implementations, establish proper access controls to limit form submission privileges, and implement content security policies to reduce the impact of successful XSS attacks. The vulnerability demonstrates the critical importance of proper input sanitization and output encoding practices as outlined in OWASP Top Ten and the ATT&CK framework's emphasis on preventing and detecting script injection attacks. Regular security assessments and penetration testing should be conducted to identify similar vulnerabilities in custom applications built on the AEM platform.

Responsible

Adobe

Reservation

04/30/2025

Disclosure

06/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00300

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!