CVE-2025-64823 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM), a widely used enterprise content management system. The vulnerability exists in versions 6.5.23 and earlier, allowing an attacker with low privileges to inject malicious JavaScript code into vulnerable form fields within the application. When a victim user accesses a page containing the injected script, the malicious code executes in their browser context. This can lead to theft of session tokens, user impersonation, or unauthorized actions performed on behalf of the user. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 5.4, with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, meaning the attack can be launched remotely over the network with low attack complexity, requires low privileges, and user interaction is necessary. The scope is changed (S:C), indicating the vulnerability affects resources beyond the vulnerable component. The impact on confidentiality and integrity is low, with no impact on availability. No public exploits have been reported yet, but the vulnerability poses a risk to any organization using affected AEM versions, especially those exposing forms to external users. The lack of patches at the time of reporting necessitates interim mitigations.

For European organizations, this vulnerability can lead to unauthorized access to user sessions and potential data leakage through malicious script execution in user browsers. Organizations relying on Adobe Experience Manager for customer-facing websites or intranet portals may face risks of credential theft, session hijacking, or unauthorized actions performed by attackers impersonating legitimate users. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR breaches if personal data is compromised), and cause operational disruptions. The medium severity score reflects moderate risk, but the widespread use of AEM in Europe, especially in sectors like government, finance, and retail, increases the potential impact. Attackers exploiting this vulnerability could target employees or customers, leading to broader security incidents. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in phishing or social engineering scenarios.

Organizations should prioritize upgrading Adobe Experience Manager to a version where this vulnerability is patched once available. Until patches are released, implement strict input validation and sanitization on all form fields to prevent script injection. Deploy Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. Review and limit user privileges to minimize the ability of low-privileged users to inject malicious content. Conduct security awareness training to reduce the risk of users interacting with malicious content. Monitor web application logs for suspicious input patterns and anomalous user behavior. Consider deploying web application firewalls (WAF) with rules targeting XSS attack patterns specific to AEM. Regularly audit and test web applications for XSS vulnerabilities using automated scanners and manual penetration testing.