CVE-2025-46977 in Experience Managerinfo

Summary

by MITRE • 06/11/2025

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/13/2025

Adobe Experience Manager suffers from a critical stored cross-site scripting vulnerability that allows low-privileged attackers to inject malicious JavaScript code into form fields within the application. This vulnerability exists in versions 6.5.22 and earlier, representing a significant security risk for organizations relying on this content management platform. The flaw enables attackers to persistently store malicious scripts that will execute whenever legitimate users interact with the affected form fields, creating a persistent threat vector that can compromise user sessions and data integrity.

The technical implementation of this vulnerability stems from inadequate input validation and output sanitization within the form processing mechanisms of Adobe Experience Manager. When users submit data through vulnerable form fields, the application fails to properly sanitize or escape the input before storing it in the database or rendering it in subsequent web pages. This creates an environment where attacker-controlled JavaScript code can be stored and subsequently executed in the context of other users' browsers. The stored nature of this vulnerability means that the malicious payload remains persistent and can affect multiple users over time without requiring repeated exploitation attempts.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform session hijacking, credential theft, and data exfiltration from authenticated users. Attackers can craft malicious payloads that steal cookies, session tokens, or other sensitive information from users browsing pages containing the vulnerable fields. The low privilege requirement for exploitation makes this vulnerability particularly dangerous as it can be leveraged by users with minimal access rights, potentially escalating to more severe attacks through session manipulation or privilege escalation techniques. This vulnerability directly aligns with CWE-79 which identifies cross-site scripting as a fundamental web application security weakness.

Organizations utilizing Adobe Experience Manager must implement immediate mitigation strategies to address this vulnerability. The primary recommendation involves upgrading to Adobe Experience Manager versions 6.5.23 or later, which contain patches specifically designed to address the stored XSS flaw. Additionally, administrators should implement comprehensive input validation and output encoding mechanisms within custom form implementations, ensuring that all user-supplied data is properly sanitized before processing. Network-level protections such as web application firewalls and content security policies can provide additional defense-in-depth measures. The vulnerability's characteristics also align with ATT&CK technique T1531 which focuses on the use of malicious code injection techniques, emphasizing the need for robust application security controls and regular security assessments to prevent exploitation of such persistent vulnerabilities in enterprise content management systems.

Responsible

Adobe

Reservation

04/30/2025

Disclosure

06/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00275

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!