CVE-2025-46837

| EUVD-2025-18050 HIGH
2025-06-10 [email protected]
8.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-18050
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
CVE Published
Jun 10, 2025 - 23:15 nvd
HIGH 8.7

Tags

Adobe XSS Information Disclosure Experience Manager

Description

Adobe Experience Manager versions 6.5.22 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.

Analysis

Adobe Experience Manager (AEM) versions 6.5.22 and earlier contain a reflected Cross-Site Scripting (XSS) vulnerability in form field handling that allows low-privileged attackers to inject malicious JavaScript. When a victim visits a page containing the vulnerable field with attacker-controlled input, the script executes in their browser context, enabling session hijacking and credential theft. The vulnerability has a CVSS score of 8.7 (High) and requires user interaction but no special privileges beyond basic AEM access.

Technical Context

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Reflected XSS), indicating inadequate input sanitization and output encoding in AEM's form field rendering engine. The vulnerability exists in versions 6.5.22 and earlier, suggesting the flaw is in core form processing components that fail to properly escape or validate user-supplied data before rendering it in HTML context. The reflected nature means the malicious payload must be delivered via URL or crafted request, and the vulnerability likely affects multiple form field types across AEM's authoring and publishing interfaces. The attack vector is network-based (AV:N) with low complexity (AC:L), meaning exploitation requires no special conditions and works over standard HTTP/HTTPS.

Affected Products

Experience Manager (6.5.22 and earlier)

Remediation

Upgrade to Adobe Experience Manager 6.5.23 or later. This version contains fixes for the reflected XSS vulnerability in form field handling.; verification: Verify patched version via Adobe's official release notes and security bulletins Workaround: If immediate patching is not possible: (1) Restrict form field access to authenticated users only via access control lists; (2) Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads (script tags, event handlers, javascript: protocol); (3) Enable Content Security Policy (CSP) headers to restrict script execution; (4) Educate users not to click suspicious links containing form field parameters Detection: Monitor AEM access logs for URL patterns containing suspicious characters (<, >, script, onerror, onload) in form field parameters. Implement IDS/IPS signatures for reflected XSS patterns targeting known AEM form endpoints. Configuration: Review and enforce strict input validation policies in AEM forms configuration. Ensure all user-supplied input is properly HTML-encoded before rendering. Implement allowlist-based validation for form fields rather than blacklist approaches.

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: 0

Share

CVE-2025-46837 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy