CVE-2025-64551
📋 TL;DR
This DOM-based XSS vulnerability in Adobe Experience Manager allows low-privileged attackers to execute malicious JavaScript in victims' browsers when users interact with crafted URLs or manipulated pages. It affects AEM versions 6.5.23 and earlier, requiring user interaction for successful exploitation.
💻 Affected Systems
- Adobe Experience Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals session cookies, performs actions as authenticated user, or redirects to phishing sites, potentially leading to account compromise or data theft.
Likely Case
Session hijacking, defacement of web content, or credential theft from authenticated users who click malicious links.
If Mitigated
Limited impact with proper Content Security Policy (CSP) headers and input validation, though DOM-based XSS may bypass some traditional defenses.
🎯 Exploit Status
Exploitation requires low-privileged attacker access and user interaction; DOM-based XSS can be challenging to detect with traditional scanners.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.24 or later
Vendor Advisory: https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html
Restart Required: Yes
Instructions:
1. Download AEM 6.5.24 or later from Adobe distribution. 2. Apply service pack following Adobe's upgrade documentation. 3. Restart AEM instance. 4. Verify successful update via AEM welcome page.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources and mitigate XSS impact.
Add 'Content-Security-Policy' header to web server configuration with appropriate directives
Input Validation Filter
allDeploy custom servlet filter to sanitize user inputs before DOM processing.
Implement Java servlet filter that validates and encodes user inputs for AEM components
🧯 If You Can't Patch
- Restrict low-privileged user access to content authoring interfaces
- Implement web application firewall (WAF) rules to detect and block XSS patterns
🔍 How to Verify
Check if Vulnerable:
Check AEM version via Welcome page (http://[host]:[port]/libs/granite/core/content/login.html) or CRX Package Manager.Check Version:
curl -s http://[host]:[port]/libs/granite/core/content/login.html | grep 'AEM 6.5'Verify Fix Applied:
Confirm AEM version is 6.5.24 or later and test vulnerable components with XSS payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript execution in browser logs
- Suspicious URL parameters containing script tags
Network Indicators:
- HTTP requests with encoded script payloads in query parameters
SIEM Query:
source="aem-access.log" AND ("<script" OR "javascript:" OR "onerror=" OR "onload=")