CVE-2025-47073 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability allows a low-privileged attacker to inject malicious JavaScript code into vulnerable form fields within the AEM interface. When a victim user accesses a page containing the injected malicious script, the script executes in their browser context. Stored XSS differs from reflected XSS in that the malicious payload is permanently stored on the server, making it accessible to any user who visits the affected page. The vulnerability arises due to insufficient input sanitization or output encoding of user-supplied data in form fields. The CVSS 3.1 base score is 5.4 (medium severity), reflecting that the attack can be launched remotely over the network (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. The impact affects confidentiality and integrity (C:L/I:L) but not availability (A:N). No known exploits are currently reported in the wild, and no patches are linked yet. However, given the widespread use of Adobe Experience Manager as a content management system in enterprises, this vulnerability could be leveraged to steal session tokens, perform actions on behalf of users, or conduct phishing attacks by injecting malicious scripts that alter page content or capture user input.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Adobe Experience Manager to manage public-facing websites or internal portals. Exploitation could lead to unauthorized disclosure of sensitive information such as session cookies, personal data, or corporate credentials, violating GDPR and other data protection regulations. The integrity of web content could be compromised, damaging organizational reputation and trust. Attackers could also use the vulnerability to conduct targeted phishing campaigns or lateral movement within the network if internal users are affected. Given the medium severity and requirement for user interaction, the threat is moderate but should not be underestimated, particularly in sectors like finance, government, and healthcare where AEM is commonly deployed and data sensitivity is high.

Organizations should prioritize the following mitigations: 1) Monitor Adobe’s official security advisories for patches addressing CVE-2025-47073 and apply them promptly once available. 2) Implement strict input validation and output encoding on all form fields within AEM to prevent script injection. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4) Conduct regular security audits and penetration testing focused on XSS vulnerabilities in web applications. 5) Educate users about the risks of clicking suspicious links or interacting with untrusted content. 6) Use web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting AEM. 7) Limit privileges of users who can submit content to reduce the attack surface. 8) Review and harden session management to mitigate session hijacking risks from stolen cookies.