CVE-2025-64845 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. Stored XSS occurs when malicious input is permanently stored on the target server, such as in form fields, and later rendered in users’ browsers without proper sanitization or encoding. In this case, a low-privileged attacker can inject malicious JavaScript code into vulnerable form fields within AEM. When other users access pages containing these fields, the injected script executes in their browsers, potentially allowing theft of session cookies, user impersonation, or unauthorized actions within the context of the victim’s session. The vulnerability requires user interaction (visiting the compromised page) and low privileges to exploit, but the scope is broad due to the persistent nature of stored XSS. The CVSS v3.1 base score is 5.4, reflecting network attack vector, low attack complexity, low privileges required, requirement for user interaction, and partial impact on confidentiality and integrity, but no impact on availability. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be considered a moderate risk. Adobe Experience Manager is widely used by enterprises and public sector organizations for web content management, making this vulnerability relevant for organizations relying on AEM for digital presence and customer engagement.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of user sessions and data accessed through Adobe Experience Manager-powered websites. Attackers could leverage the stored XSS to steal authentication tokens, perform actions on behalf of users, or deliver further malware. This can lead to data breaches, reputational damage, and regulatory compliance issues under GDPR, especially if personal data is compromised. The impact is heightened for organizations with high web traffic and those providing critical public or commercial services via AEM. While availability is not directly affected, the indirect consequences of compromised user trust and potential regulatory fines can be significant. The medium severity score suggests prioritizing remediation but indicates that the vulnerability is not trivially exploitable without user interaction and some attacker effort.

1. Apply official Adobe patches or updates as soon as they become available for Adobe Experience Manager 6.5.23 and earlier versions. 2. Implement strict input validation and sanitization on all form fields to prevent injection of malicious scripts. 3. Use context-aware output encoding (e.g., HTML entity encoding) when rendering user-supplied content to prevent script execution. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 5. Conduct regular security audits and penetration testing focused on web application inputs and outputs. 6. Educate users and administrators about the risks of XSS and encourage cautious behavior when interacting with web content. 7. Monitor web logs and user reports for suspicious activity that may indicate exploitation attempts. 8. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting AEM instances.