CVE-2025-47008 in Experience Managerinfo

Summary

by MITRE • 06/11/2025

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/16/2025

Adobe Experience Manager presents a critical stored cross-site scripting vulnerability in versions 6.5.22 and earlier, allowing low-privileged attackers to inject malicious scripts into form fields that persist in the application's database. This vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws where inadequate validation or sanitization of user-supplied data permits the execution of malicious client-side scripts. The flaw exists in the application's handling of user input within form fields, particularly those used for content management and user interaction. When victims browse to pages containing these vulnerable fields, the injected JavaScript executes in their browser context, potentially compromising user sessions and enabling further attack vectors.

The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with the capability to manipulate user experiences and extract sensitive information. Attackers can leverage this flaw to steal session cookies, perform unauthorized actions on behalf of users, or redirect victims to malicious sites. The stored nature of this vulnerability means that once malicious input is submitted and saved, it remains persistent until manually removed, creating a long-term threat vector. This vulnerability specifically affects Adobe Experience Manager's content management capabilities, where users can submit content through various forms and interfaces, making it particularly dangerous in environments where multiple users interact with the platform.

Security practitioners should implement comprehensive input validation and output encoding measures to mitigate this vulnerability. The remediation process requires thorough sanitization of all user-supplied data before storage and proper HTML escaping when rendering content. Organizations must prioritize updating to Adobe Experience Manager versions 6.5.23 or later, which contain patches addressing this specific XSS vulnerability. Additionally, implementing web application firewalls and content security policies can provide additional layers of protection. The vulnerability aligns with ATT&CK technique T1531 which focuses on establishing persistence through malicious scripts, and T1059 which covers command and scripting interpreter usage. Regular security testing and code reviews should emphasize validation of user inputs and proper sanitization of data within form handling components to prevent similar vulnerabilities from emerging in the future.

Responsible

Adobe

Reservation

04/30/2025

Disclosure

06/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00305

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!