Login Sign Up

CVE-2025-64546

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

Adobe Experience Manager versions 6.5.23 and earlier contain a stored cross-site scripting vulnerability in form fields. Low-privileged attackers can inject malicious JavaScript that executes in victims' browsers when they visit compromised pages. This affects all users of vulnerable AEM instances.

💻 Affected Systems

Products:
  • Adobe Experience Manager
Versions: 6.5.23 and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects both author and publish instances. Requires low-privileged attacker access to vulnerable form fields.

📦 What is this software?

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

Experience Manager by Adobe

View all CVEs affecting Experience Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware via drive-by downloads.

🟠

Likely Case

Session hijacking, credential theft, or defacement of web pages through injected content.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy headers in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires authenticated low-privileged access. Stored XSS means payload persists until cleaned.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.24 or later

Vendor Advisory: https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html

Restart Required: Yes

Instructions:

1. Download AEM 6.5.24 or later from Adobe Distribution. 2. Apply Service Pack following Adobe's upgrade documentation. 3. Restart AEM instances. 4. Verify version update.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement custom servlet filter to sanitize form field inputs

Implement Java servlet filter with OWASP Java Encoder library

Content Security Policy

all

Add CSP headers to restrict script execution

Add 'Content-Security-Policy: script-src 'self'' to HTTP headers

🧯 If You Can't Patch

  • Disable or restrict low-privileged user access to vulnerable form fields
  • Implement web application firewall rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check AEM version via /system/console/status-productinfo or CRX Package Manager

Check Version:

curl -k https://<aem-host>:<port>/system/console/status-productinfo | grep 'Adobe Experience Manager'

Verify Fix Applied:

Verify version is 6.5.24 or later and test form fields with XSS payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to form endpoints
  • JavaScript payloads in request parameters
  • Multiple failed XSS attempts

Network Indicators:

  • Suspicious script tags in HTTP POST data
  • External script loads from form submissions

SIEM Query:

source="aem-access.log" AND ("<script" OR "javascript:" OR "onload=" OR "onerror=")

📊 Metadata

CVE ID: CVE-2025-64546
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.04% exploit probability (10.1th percentile)
Published: December 10, 2025
Last Updated: December 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64546, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)