CVE-2025-47037 in Experience Manager
Summary
by MITRE • 06/11/2025
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/16/2025
Adobe Experience Manager presents a critical stored cross-site scripting vulnerability in versions 6.5.22 and earlier, allowing low-privileged attackers to inject malicious scripts into form fields that persist on the server. This vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws in web applications. The flaw occurs when user-supplied input from form fields is not properly sanitized or validated before being rendered back to users, creating an environment where attacker-controlled JavaScript code can be stored and subsequently executed in victim browsers. The attack vector requires minimal privileges as the vulnerability targets form fields that are accessible to users with basic permissions, making it particularly dangerous in environments where content editors or contributors have access to form submission interfaces. When victims browse to pages containing these stored malicious payloads, their browsers execute the injected JavaScript code, potentially leading to session hijacking, data theft, or further exploitation of the victim's browser environment. The vulnerability aligns with ATT&CK technique T1531 which covers "Run-time Application Packing" and T1566 which covers "Phishing", as attackers can leverage this flaw to create malicious forms that appear legitimate to unsuspecting users. The impact extends beyond simple script execution as the stored nature of the vulnerability means that the malicious code can affect multiple users over time, potentially compromising user sessions and accessing sensitive data through the victim's browser context. This vulnerability is particularly concerning in enterprise environments where AEM is used for content management and user interaction, as it can be exploited to gain unauthorized access to user accounts and potentially escalate privileges within the application's security boundaries. Organizations should prioritize immediate patching of affected versions to prevent exploitation, while also implementing additional security controls such as input validation, output encoding, and content security policies to mitigate potential impact. The vulnerability demonstrates the importance of proper input sanitization and the principle of least privilege in web application security, where even seemingly benign form fields can become attack vectors when proper security measures are not implemented.