CVE-2025-64869 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. Stored XSS occurs when malicious input is saved by the application and later rendered in users' browsers without proper sanitization or encoding. In this case, a low-privileged attacker can inject malicious JavaScript code into vulnerable form fields within AEM. When other users access pages containing these fields, the injected script executes in their browsers, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or manipulate page content. The vulnerability requires the attacker to have at least low-level privileges to submit malicious input and requires victims to interact by visiting the compromised page. The CVSS v3.1 score is 5.4 (medium), reflecting network attack vector, low attack complexity, low privileges required, user interaction needed, and partial confidentiality and integrity impact without affecting availability. No public exploits are known yet, and Adobe has not released patches as of the disclosure date. The vulnerability stems from insufficient input validation and output encoding in form fields, a common issue in web applications. Organizations using AEM for content management, especially those exposing user-generated content or forms, are vulnerable to this attack. Attackers could leverage this flaw to conduct phishing, session hijacking, or defacement attacks. Given the widespread use of AEM in enterprise digital experience platforms, this vulnerability poses a significant risk to the integrity and confidentiality of web applications and their users.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive information, such as session tokens or personal data, through malicious script execution in users' browsers. It can also enable attackers to perform actions on behalf of users, potentially leading to account compromise or unauthorized changes to content. The impact is particularly critical for organizations relying on AEM for customer-facing websites, intranets, or portals where user trust and data confidentiality are paramount. Exploitation could damage reputation, lead to regulatory non-compliance (e.g., GDPR violations), and cause operational disruptions if attackers manipulate content or user sessions. Since the vulnerability requires low privileges but user interaction, targeted phishing or social engineering campaigns could increase risk. The lack of a patch at disclosure heightens the urgency for interim mitigations. Overall, the threat affects confidentiality and integrity, with no direct availability impact, but the potential for cascading effects on business operations and compliance is significant.

1. Immediately review and restrict user input fields in Adobe Experience Manager, especially those accepting rich text or HTML content, to prevent injection of scripts. 2. Implement strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 3. Employ robust input validation and output encoding on all user-supplied data rendered in web pages. 4. Monitor logs and web traffic for unusual or suspicious input patterns indicative of attempted XSS injection. 5. Educate users and administrators about the risk of clicking on untrusted links or interacting with suspicious content. 6. Isolate or sandbox vulnerable components to limit the scope of potential script execution. 7. Prepare to deploy Adobe patches immediately upon release and test updates in a controlled environment. 8. Use web application firewalls (WAFs) with updated rules to detect and block XSS payloads targeting AEM. 9. Conduct regular security assessments and penetration tests focused on XSS vulnerabilities in AEM deployments. 10. Limit low-privilege user capabilities where possible to reduce the attack surface for injection.