CVE-2025-47002
📋 TL;DR
Adobe Experience Manager versions 6.5.22 and earlier contain a stored cross-site scripting vulnerability that allows low-privileged attackers to inject malicious JavaScript into form fields. When victims visit pages containing the compromised fields, their browsers execute the attacker's code, potentially leading to session hijacking or data theft.
💻 Affected Systems
- Adobe Experience Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, deface websites, or redirect users to malicious sites, potentially leading to full system compromise.
Likely Case
Low-privileged attackers inject malicious scripts to steal session cookies or credentials from users who view compromised pages, enabling account takeover.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before reaching user browsers, preventing execution.
🎯 Exploit Status
Exploitation requires low-privileged access to inject scripts into vulnerable form fields. No authentication bypass needed beyond basic user permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.23 or later
Vendor Advisory: https://helpx.adobe.com/security/products/experience-manager/apsb25-48.html
Restart Required: Yes
Instructions:
1. Download Adobe Experience Manager 6.5.23 or later from Adobe's official distribution channels. 2. Follow Adobe's upgrade documentation for your deployment type. 3. Apply the update to all affected instances. 4. Restart AEM services to complete the installation.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation and output encoding for all form fields to prevent script injection.
Implement Content Security Policy (CSP) headers
Use OWASP Java Encoder for output encoding
Configure input validation filters in AEM
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to restrict script execution
- Disable or restrict low-privileged user access to vulnerable form fields
🔍 How to Verify
Check if Vulnerable:
Check AEM version via CRXDE Lite or system console. If version is 6.5.22 or earlier, system is vulnerable.Check Version:
curl -u admin:password http://localhost:4502/system/console/status-productinfo | grep 'Adobe Experience Manager'Verify Fix Applied:
Verify AEM version is 6.5.23 or later. Test form fields with XSS payloads to confirm sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to form submission endpoints
- JavaScript payloads in request parameters
- Multiple failed validation attempts on form fields
Network Indicators:
- Unexpected script tags in HTTP responses
- External script loads from suspicious domains in page responses
SIEM Query:
source="aem_access.log" AND (POST AND "/content/" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload="))