CVE-2025-47073 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability allows a low-privileged attacker to inject malicious JavaScript code into vulnerable form fields within the AEM interface. When a victim user accesses a page containing the compromised form field, the injected script executes in their browser context. Stored XSS differs from reflected XSS in that the malicious payload is permanently stored on the server (e.g., in a database or content repository) and served to users, increasing the attack's persistence and potential impact. The vulnerability arises due to insufficient input validation and output encoding on user-supplied data in form fields. Exploitation requires the attacker to have at least low-level privileges to submit data to the vulnerable fields, and the victim must interact with or view the affected page for the script to execute. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, low privileges required, and user interaction needed. The impact includes partial confidentiality and integrity loss, as malicious scripts can steal session tokens, perform actions on behalf of users, or manipulate displayed content. Availability is not affected. No known exploits are currently reported in the wild, and no official patches or mitigations have been linked yet. The vulnerability is classified under CWE-79, a common web application security weakness related to improper neutralization of input during web page generation.

For European organizations using Adobe Experience Manager, this vulnerability poses a significant risk to web application security and user trust. A successful exploit can lead to session hijacking, unauthorized actions performed with victim user privileges, and potential data leakage. Organizations relying on AEM for content management and customer-facing portals may experience reputational damage and compliance issues, especially under GDPR, if personal data is compromised. The persistence of stored XSS increases the risk of widespread impact across multiple users and sessions. Attackers could target administrative users or content editors to escalate privileges or pivot to further internal compromise. Given AEM's use in government, financial, and enterprise sectors in Europe, the vulnerability could be leveraged for espionage, fraud, or disruption of critical services. Although no availability impact is expected, the confidentiality and integrity breaches can have cascading effects on business operations and regulatory compliance.

1. Immediate mitigation should include reviewing and restricting user privileges to the minimum necessary, limiting the ability of low-privileged users to submit data to vulnerable form fields. 2. Implement strict input validation and output encoding on all user-supplied data in AEM forms, ensuring that scripts or HTML tags are properly sanitized or escaped before storage or rendering. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing AEM pages. 4. Monitor logs and user activity for unusual input patterns or repeated form submissions that could indicate attempted exploitation. 5. Until an official patch is released, consider disabling or restricting access to vulnerable form fields or modules, especially on public-facing sites. 6. Conduct thorough security testing, including automated scanning and manual code review, focusing on input handling in AEM components. 7. Educate users and administrators about the risks of XSS and encourage cautious behavior when interacting with untrusted content. 8. Stay updated with Adobe security advisories for patches or workarounds and apply them promptly once available.