CVE-2025-47067 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability arises from insufficient input sanitization in certain form fields within AEM, allowing a low-privileged attacker to inject malicious JavaScript code that is persistently stored on the server. When a victim user accesses the affected page containing the malicious input, the injected script executes in their browser context. The vulnerability is classified under CWE-79, indicating a classic stored XSS flaw. The CVSS v3.1 base score is 5.4 (medium severity), with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, meaning the attack can be launched remotely over the network with low complexity, requires low privileges, and user interaction is needed to trigger the payload. The scope is changed (S:C), indicating the vulnerability affects resources beyond the initially vulnerable component. The impact includes limited confidentiality and integrity loss, as the attacker can execute arbitrary scripts in the context of the victim’s browser session, potentially stealing session tokens, performing actions on behalf of the user, or defacing content. Availability is not impacted. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is significant because AEM is widely used by enterprises for content management and digital experience delivery, making it a valuable target for attackers aiming to compromise user sessions or inject malicious content into trusted websites.

For European organizations using Adobe Experience Manager, this vulnerability poses a risk of client-side attacks that can lead to session hijacking, unauthorized actions performed by users, and reputational damage due to content manipulation. Since AEM is often deployed in customer-facing portals, marketing sites, and intranet environments, exploitation could lead to leakage of sensitive user information or unauthorized access to internal resources if session tokens or credentials are stolen. The medium severity score reflects that while the vulnerability does not directly compromise server integrity or availability, the impact on confidentiality and integrity of user interactions is non-trivial. European organizations in sectors such as finance, government, healthcare, and e-commerce that rely on AEM for digital engagement could face regulatory scrutiny under GDPR if personal data is compromised via this vector. Additionally, the requirement for low privileges to exploit and the persistent nature of stored XSS increase the attack surface, especially in environments where multiple users interact with the platform.

To mitigate this vulnerability, European organizations should prioritize the following actions: 1) Apply official patches or updates from Adobe as soon as they become available, specifically upgrading beyond version 6.5.22. 2) Implement strict input validation and output encoding on all user-supplied data in AEM forms to prevent malicious script injection. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the browser context. 4) Conduct thorough security testing, including automated scanning and manual penetration testing focused on XSS vectors in AEM deployments. 5) Limit user privileges to the minimum necessary, reducing the risk that low-privileged users can inject malicious content. 6) Monitor web application logs and user activity for unusual behavior indicative of exploitation attempts. 7) Educate developers and administrators on secure coding practices and the risks of stored XSS. 8) Consider deploying web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting AEM. These measures combined will reduce the likelihood and impact of exploitation beyond generic advice.