Listen to this Post
How the CVE Works
CVE-2025-46964 affects Adobe Experience Manager (AEM) versions 6.5.22 and earlier. The vulnerability arises due to insufficient input sanitization in form fields, allowing a low-privileged attacker to inject malicious JavaScript. When a victim accesses a compromised page, the script executes in their browser, potentially leading to session hijacking, data theft, or unauthorized actions. The attack persists due to stored XSS, meaning the payload remains on the server until manually removed.
DailyCVE Form
Platform: Adobe Experience Manager
Version: 6.5.22 and earlier
Vulnerability: Stored XSS
Severity: Critical
Date: 06/10/2025
Prediction: Patch expected by 07/15/2025
What Undercode Say
Check AEM version curl -I http://<target>/system/console/status-ProductInfo XSS payload example <script>alert(document.cookie)</script> Verify patch via Adobe Security Bulletin grep "AEM-2025-46964" /var/adobe/patch/logs
How Exploit
1. Attacker authenticates with low privileges.
2. Submits malicious script via vulnerable form field.
3. Server stores payload without sanitization.
4. Victim loads page, triggering script execution.
Protection from this CVE
- Update to AEM 6.5.23 or later.
- Implement strict input validation.
- Use CSP headers to restrict script execution.
Impact
- Session hijacking.
- Unauthorized data access.
- Client-side compromise.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
