CVE-2025-46965 in Experience Managerinfo

Summary

by MITRE • 06/11/2025

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/13/2025

Adobe Experience Manager presents a critical stored cross-site scripting vulnerability in versions 6.5.22 and earlier, allowing low-privileged attackers to inject malicious scripts into form fields that persist on the server. This vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws in web applications, where improper validation or sanitization of user-supplied data creates opportunities for attackers to execute arbitrary code within victim browsers. The flaw enables attackers to manipulate form fields that are subsequently rendered without adequate input sanitization, creating a persistent threat vector that can affect multiple users who view the compromised content.

The operational impact of this vulnerability extends beyond simple script execution, as it can be leveraged for session hijacking, credential theft, and phishing attacks against unsuspecting users. When victims browse to pages containing the maliciously injected scripts, their browsers execute the code within the context of their authenticated sessions, potentially allowing attackers to access sensitive data, modify content, or perform actions on behalf of the victims. This represents a significant risk to organizations relying on AEM for content management and user interaction, particularly those handling sensitive customer information or administrative functions. The vulnerability's persistence through stored data means that once injected, malicious scripts remain active until manually removed from the application's database.

Security professionals should implement immediate mitigations including comprehensive input validation and output encoding for all user-supplied data entering the AEM system. The recommended approach involves applying the latest security patches from Adobe as soon as they become available, while also implementing web application firewalls to detect and block suspicious script patterns. Organizations should conduct thorough security assessments of their AEM implementations to identify all potential injection points and ensure proper sanitization of all form fields and content management interfaces. Additionally, implementing content security policies and strict access controls can help limit the damage scope, while regular security monitoring should be established to detect any unauthorized script injections. The vulnerability aligns with attack techniques documented in the ATT&CK framework under T1059.001 for command and scripting interpreter and T1566.001 for spearphishing attachments, demonstrating how stored XSS can serve as a foundational attack vector for more sophisticated compromises.

Responsible

Adobe

Reservation

04/30/2025

Disclosure

06/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00300

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!