CVE-2025-64847
📋 TL;DR
This stored XSS vulnerability in Adobe Experience Manager allows low-privileged attackers to inject malicious JavaScript into form fields. When victims browse pages containing the injected scripts, their browsers execute the malicious code. Organizations using AEM versions 6.5.23 and earlier are affected.
💻 Affected Systems
- Adobe Experience Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, perform session hijacking, deface websites, or redirect users to malicious sites, potentially leading to full system compromise.
Likely Case
Attackers with low privileges could steal user session cookies, perform actions on behalf of authenticated users, or conduct phishing attacks against other users.
If Mitigated
With proper input validation and output encoding, the impact is limited to unsuccessful injection attempts with no code execution.
🎯 Exploit Status
Requires authenticated low-privileged access; exploitation is straightforward once access is obtained
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.24 or later
Vendor Advisory: https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html
Restart Required: Yes
Instructions:
1. Download AEM 6.5.24 or later from Adobe distribution portal. 2. Backup current installation. 3. Apply the update following Adobe's upgrade documentation. 4. Restart AEM services.
🔧 Temporary Workarounds
Input Validation Filter
allImplement custom servlet filters to sanitize user input in form fields
Implement Java servlet filter with OWASP Java Encoder library
Content Security Policy
allDeploy strict CSP headers to limit script execution
Add 'Content-Security-Policy' header to AEM dispatcher configuration
🧯 If You Can't Patch
- Restrict low-privileged user access to content authoring interfaces
- Implement web application firewall rules to block XSS payload patterns
🔍 How to Verify
Check if Vulnerable:
Check AEM version via CRXDE Lite or system console; versions 6.5.23 and earlier are vulnerableCheck Version:
curl -u admin:password http://localhost:4502/system/console/status-productinfoVerify Fix Applied:
Verify AEM version is 6.5.24 or later and test form fields with XSS payloads📡 Detection & Monitoring
Log Indicators:
- Unusual content modifications by low-privileged users
- JavaScript payloads in request logs
- Multiple failed login attempts followed by content edits
Network Indicators:
- Unusual outbound connections from AEM server
- Suspicious JavaScript in HTTP responses
SIEM Query:
source="aem-access.log" AND ("script" OR "javascript:" OR "onload=" OR "onerror=")