CVE-2025-64797 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. The vulnerability arises from insufficient sanitization of user input in certain form fields, allowing an attacker with low privileges to inject malicious JavaScript code that is persistently stored and later executed in the browsers of users who access the affected pages. This type of vulnerability is classified under CWE-79 and can lead to client-side attacks such as session hijacking, cookie theft, or redirection to malicious sites. The vulnerability requires the attacker to have some level of privilege to submit data to the vulnerable form fields and requires victim user interaction to trigger the malicious script execution. The CVSS v3.1 base score of 5.4 reflects a medium severity, with attack vector being network-based, low attack complexity, requiring privileges, and user interaction. The impact affects confidentiality and integrity but not availability. No patches or exploit code are currently publicly available, and no known exploits have been reported in the wild. Adobe Experience Manager is widely used by enterprises for web content management, making this vulnerability relevant for organizations relying on AEM for their digital presence. The vulnerability's scope is limited to affected versions and specific form fields that do not properly sanitize input, emphasizing the importance of input validation and output encoding in web applications.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of user sessions and data processed through Adobe Experience Manager portals. Exploitation could enable attackers to steal session cookies, perform actions on behalf of users, or deliver phishing payloads, potentially leading to unauthorized access or data leakage. Organizations in sectors such as finance, government, and e-commerce that rely on AEM for customer-facing websites are particularly at risk due to the potential reputational damage and regulatory consequences under GDPR if user data is compromised. While the vulnerability does not impact system availability, the client-side execution of malicious scripts can undermine user trust and lead to broader security incidents. The requirement for low privileges and user interaction lowers the barrier for exploitation, making it a credible threat if not addressed promptly.

1. Apply official Adobe patches or updates as soon as they become available for Adobe Experience Manager versions 6.5.23 and earlier. 2. Implement strict input validation and sanitization on all form fields to prevent injection of malicious scripts. 3. Employ output encoding techniques on data rendered in web pages to neutralize any injected scripts. 4. Restrict user privileges to the minimum necessary, especially for users who can submit data to vulnerable forms. 5. Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 6. Monitor web application logs for unusual input patterns or repeated attempts to inject scripts. 7. Educate users to be cautious of unexpected behaviors or prompts on AEM-managed websites. 8. Conduct regular security assessments and penetration tests focusing on web application vulnerabilities including XSS.