CVE-2025-64799 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. The vulnerability arises from insufficient sanitization of user-supplied input in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is persistently stored on the server. When other users visit the affected pages containing the injected scripts, the malicious code executes in their browsers within the security context of the vulnerable web application. This can lead to theft of sensitive information such as session cookies, user credentials, or other confidential data, as well as manipulation of the displayed content or redirection to malicious sites. The vulnerability has a CVSS 3.1 base score of 5.4, indicating medium severity. The attack vector is network-based, requiring only low privileges on the application and user interaction (visiting the infected page). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. No public exploits have been reported yet, but the presence of stored XSS in a widely used enterprise content management system poses a significant risk. Adobe has not yet released patches at the time of this report, so mitigation relies on configuration and defensive coding practices. Stored XSS vulnerabilities are particularly dangerous because the malicious payload persists and can affect multiple users over time. The CWE-79 classification confirms this is a classic cross-site scripting issue related to improper neutralization of input data.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Adobe Experience Manager for managing public-facing websites or intranet portals. Exploitation could lead to unauthorized disclosure of sensitive user information, including session tokens and personal data, violating GDPR requirements and potentially resulting in regulatory penalties. Integrity of web content can be compromised, leading to defacement or misinformation, damaging organizational reputation and trust. Availability is not directly impacted, but indirect effects such as user lockout or phishing attacks could arise. The medium CVSS score reflects moderate risk, but the ease of exploitation by low-privileged attackers combined with user interaction means that targeted phishing or social engineering campaigns could increase risk. Organizations in sectors such as finance, government, healthcare, and e-commerce, which often use AEM for content management, are particularly vulnerable. The persistence of the injected scripts means that multiple users can be affected over time, amplifying the potential damage.

1. Apply official Adobe patches immediately once released for versions 6.5.23 and earlier to remediate the vulnerability at the source. 2. Until patches are available, implement strict input validation on all form fields, rejecting or sanitizing any suspicious input, especially scripts or HTML tags. 3. Employ robust output encoding (e.g., HTML entity encoding) to neutralize any injected scripts before rendering content in browsers. 4. Configure Content Security Policy (CSP) headers to restrict the execution of inline scripts and loading of external scripts, reducing the impact of any injected code. 5. Conduct regular security audits and penetration testing focusing on web application input handling and stored XSS vectors. 6. Monitor web server and application logs for unusual input patterns or repeated form submissions that may indicate exploitation attempts. 7. Educate users and administrators about the risks of XSS and the importance of cautious interaction with web content. 8. Consider implementing Web Application Firewalls (WAF) with rules designed to detect and block XSS payloads targeting AEM. 9. Review and harden user privilege assignments to minimize the number of users able to submit content that is rendered without sanitization. 10. Maintain an incident response plan to quickly address any detected exploitation and limit damage.