CVE-2025-47071 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability allows a low-privileged attacker to inject malicious JavaScript code into vulnerable form fields within the AEM interface. When a victim user accesses a page containing the injected malicious script, the script executes in the context of the victim's browser session. The vulnerability is classified as CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 5.4, reflecting a medium severity level. The attack vector is network-based (AV:N), requiring low attack complexity (AC:L), and low privileges (PR:L). User interaction is required (UI:R) as the victim must visit the compromised page. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. The impact affects confidentiality and integrity (C:L/I:L) but not availability (A:N). No known exploits are currently reported in the wild, and no patches have been linked yet. Stored XSS vulnerabilities are particularly dangerous because the malicious payload persists on the server and can affect multiple users, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user.

For European organizations using Adobe Experience Manager, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive information managed through the platform. AEM is widely used by enterprises and public sector organizations for content management and digital experience delivery. Exploitation could lead to unauthorized access to user sessions, theft of authentication tokens, or manipulation of content, undermining trust and potentially causing data breaches. Given the persistence of stored XSS, multiple users could be affected, amplifying the impact. This is particularly critical for organizations handling personal data under GDPR regulations, as exploitation could result in regulatory penalties and reputational damage. Additionally, attackers could leverage this vulnerability as a foothold for further attacks within the network, especially if the compromised accounts have elevated privileges.

European organizations should prioritize the following mitigations: 1) Apply official Adobe patches or updates as soon as they become available for AEM versions 6.5.22 and earlier. 2) Implement strict input validation and output encoding on all form fields to prevent injection of malicious scripts. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4) Conduct regular security audits and penetration testing focused on web application vulnerabilities, including XSS. 5) Limit user privileges to the minimum necessary to reduce the impact of low-privileged attackers. 6) Monitor web application logs for unusual input patterns or repeated attempts to inject scripts. 7) Educate users to recognize suspicious behavior and report anomalies promptly. 8) Consider deploying Web Application Firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting AEM.