CVE-2025-64800 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. The vulnerability arises from insufficient sanitization of user input in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is stored on the server. When other users access the affected page containing the injected script, the malicious code executes in their browsers within the security context of the vulnerable web application. This can lead to theft of session cookies, user impersonation, or redirection to malicious sites, compromising confidentiality and integrity of user data. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, requiring low privileges and user interaction, with a scope change due to potential impact on other users. The vulnerability does not affect system availability. No public exploits are currently known, but the presence of stored XSS in a widely used enterprise content management system poses a significant risk if weaponized. Adobe has not yet released patches, so organizations must rely on interim mitigations. The vulnerability is cataloged under CWE-79, a common and well-understood web application security issue.

For European organizations, the impact of this vulnerability can be significant, particularly for those relying on Adobe Experience Manager to manage public-facing websites or intranet portals. Successful exploitation can lead to session hijacking, unauthorized actions performed on behalf of legitimate users, and potential data leakage. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR breaches due to exposure of personal data), and facilitate further attacks such as phishing or malware distribution. Since AEM is often used by government agencies, financial institutions, and large enterprises in Europe, the risk extends to critical infrastructure and sensitive information. The medium CVSS score reflects that while the vulnerability requires some user interaction and privileges, the potential for lateral movement or widespread compromise is limited. However, the scope change indicates that the attacker can affect other users beyond the initially compromised account, increasing the threat surface. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits rapidly after disclosure.

1. Apply official Adobe patches immediately once they become available to fully remediate the vulnerability. 2. Until patches are released, implement strict input validation and output encoding on all user-supplied data in AEM forms to prevent script injection. 3. Restrict user privileges on forms and interfaces to the minimum necessary to reduce the risk of malicious input submission. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5. Monitor web application logs and user activity for unusual input patterns or repeated failed attempts to inject scripts. 6. Educate users and administrators about the risks of XSS and encourage cautious behavior when interacting with web content. 7. Consider deploying web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting AEM. 8. Regularly review and update security configurations of Adobe Experience Manager to adhere to best practices.