CVE-2025-47115 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.22 and earlier. This vulnerability allows a low-privileged attacker to inject malicious JavaScript code into vulnerable form fields within the AEM interface. When a victim user accesses a page containing the injected malicious script, the script executes in their browser context. Stored XSS vulnerabilities are particularly dangerous because the malicious payload is saved on the server and served to any user who visits the affected page, potentially impacting multiple users. The vulnerability requires low privileges to exploit but does require user interaction (visiting the compromised page). The CVSS 3.1 base score is 5.4 (medium severity), reflecting that the attack vector is network-based, with low attack complexity, requiring privileges and user interaction, and impacts confidentiality and integrity but not availability. The scope is changed, indicating that the vulnerability affects components beyond the initially vulnerable component. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

For European organizations using Adobe Experience Manager, this vulnerability could lead to unauthorized script execution in users' browsers, potentially resulting in session hijacking, theft of sensitive information such as authentication tokens, or unauthorized actions performed on behalf of users. Given that AEM is widely used by enterprises and public sector organizations for content management and digital experience delivery, exploitation could compromise the confidentiality and integrity of sensitive corporate or customer data. This is particularly critical for organizations handling personal data under GDPR, as exploitation could lead to data breaches with regulatory and reputational consequences. The vulnerability could also facilitate phishing or social engineering campaigns by injecting malicious content into trusted web pages. While availability is not directly impacted, the indirect effects on trust and data security can be significant.

Organizations should prioritize upgrading Adobe Experience Manager to a version that addresses this vulnerability once a patch is released by Adobe. In the interim, implement strict input validation and output encoding on all form fields to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Review and harden user privileges to minimize the number of users with the ability to input data into vulnerable fields. Conduct thorough security testing and code reviews focusing on input sanitization in AEM deployments. Monitor web traffic and logs for unusual activity that may indicate exploitation attempts. Additionally, educate users about the risks of interacting with suspicious content and ensure that browsers are kept up to date to leverage built-in XSS protections.