Skip to main content

Experience Manager EUVDEUVD-2025-18050

| CVE-2025-46837 HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-06-10 psirt@adobe.com
8.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-18050
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
CVE Published
Jun 10, 2025 - 23:15 nvd
HIGH 8.7

DescriptionCVE.org

Adobe Experience Manager versions 6.5.22 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.

AnalysisAI

Adobe Experience Manager (AEM) versions 6.5.22 and earlier contain a reflected Cross-Site Scripting (XSS) vulnerability in form field handling that allows low-privileged attackers to inject malicious JavaScript. When a victim visits a page containing the vulnerable field with attacker-controlled input, the script executes in their browser context, enabling session hijacking and credential theft. The vulnerability has a CVSS score of 8.7 (High) and requires user interaction but no special privileges beyond basic AEM access.

Technical ContextAI

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Reflected XSS), indicating inadequate input sanitization and output encoding in AEM's form field rendering engine. The vulnerability exists in versions 6.5.22 and earlier, suggesting the flaw is in core form processing components that fail to properly escape or validate user-supplied data before rendering it in HTML context. The reflected nature means the malicious payload must be delivered via URL or crafted request, and the vulnerability likely affects multiple form field types across AEM's authoring and publishing interfaces. The attack vector is network-based (AV:N) with low complexity (AC:L), meaning exploitation requires no special conditions and works over standard HTTP/HTTPS.

RemediationAI

Upgrade to Adobe Experience Manager 6.5.23 or later. This version contains fixes for the reflected XSS vulnerability in form field handling.; verification: Verify patched version via Adobe's official release notes and security bulletins Workaround: If immediate patching is not possible: (1) Restrict form field access to authenticated users only via access control lists; (2) Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads (script tags, event handlers, javascript: protocol); (3) Enable Content Security Policy (CSP) headers to restrict script execution; (4) Educate users not to click suspicious links containing form field parameters Detection: Monitor AEM access logs for URL patterns containing suspicious characters (<, >, script, onerror, onload) in form field parameters. Implement IDS/IPS signatures for reflected XSS patterns targeting known AEM form endpoints. Configuration: Review and enforce strict input validation policies in AEM forms configuration. Ensure all user-supplied input is properly HTML-encoded before rendering. Implement allowlist-based validation for form fields rather than blacklist approaches.

CVE-2025-34510 HIGH POC
8.8 Jun 17

Sitecore Experience Manager, Platform, and Commerce versions 9.0 through 10.4 contain a Zip Slip vulnerability that allo

CVE-2025-34511 HIGH POC
8.8 Jun 17

Sitecore PowerShell Extensions through version 7.0 allows authenticated users to upload arbitrary files including ASPX w

CVE-2016-0957 HIGH POC
7.5 Feb 10

Dispatcher before 4.1.5 in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0 does not properly implement a URL filter, wh

CVE-2025-49533 CRITICAL POC
9.8 Jul 08

Adobe Experience Manager versions 6.5.23.0 and earlier contain a deserialization of untrusted data vulnerability that al

CVE-2025-34509 HIGH POC
7.5 Jun 17

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 through 10.4.1 contain a hardcoded administr

CVE-2016-0956 HIGH POC
7.5 Feb 10

The Servlets Post component 2.3.6 in Apache Sling, as used in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0, allows r

CVE-2023-35813 CRITICAL POC
9.8 Jun 17

Multiple Sitecore products allow remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2017-3108 CRITICAL
9.8 Aug 11

Adobe Experience Manager 6.2 and earlier has a malicious file execution vulnerability. Rated critical severity (CVSS 9.8

CVE-2025-54249 MEDIUM POC
6.5 Sep 09

Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerabilit

CVE-2025-53694 HIGH POC
7.5 Sep 03

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Sitecore Sitecore Experience Manager (XM), S

CVE-2024-46938 HIGH POC
7.5 Sep 15

An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0

CVE-2023-33651 HIGH POC
7.5 Jun 06

An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Comme

Share

EUVD-2025-18050 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy