Plattform
adobe
Komponente
adobe-experience-manager
Behoben in
6.5.24
CVE-2025-64538 is a DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager versions 6.5.23 and earlier. This vulnerability allows an attacker to inject malicious scripts into a web page, which are then executed within the context of a victim's browser. While exploitation requires user interaction (visiting a crafted page), the potential impact is severe, including session takeover and data breaches. Adobe has released updates to address this issue.
The primary impact of CVE-2025-64538 is the potential for arbitrary code execution within the victim's browser. An attacker can leverage this to steal session cookies, redirect users to malicious websites, or deface the website. The vulnerability’s DOM-based nature means that the attacker doesn't necessarily need to control the entire page, only a specific element. This makes it easier to exploit than traditional XSS vulnerabilities. The ability to achieve session takeover significantly increases the confidentiality and integrity impact, as an attacker can impersonate legitimate users and access sensitive data. The blast radius extends to any user who interacts with a page containing the injected script.
CVE-2025-64538 was publicly disclosed on December 10, 2025. While no public proof-of-concept (PoC) code has been released at the time of writing, the vulnerability's nature and severity suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog. The potential for session takeover makes this a high-priority vulnerability to address.
Organizations heavily reliant on Adobe Experience Manager for content management and digital experiences are at significant risk. Specifically, deployments with custom components or integrations that handle user-supplied data without proper sanitization are particularly vulnerable. Shared hosting environments where multiple websites share the same Experience Manager instance also increase the attack surface.
• adobe: Monitor Experience Manager logs for unusual script execution patterns or attempts to access sensitive data.
Get-WinEvent -LogName Application -FilterXPath "//*[System[Provider[@Name='Adobe Experience Manager']]]" | Where-Object {$_.Message -match "XSS"}• generic web: Inspect HTTP response headers for unexpected script tags or unusual content.
curl -I https://example.com/ | grep -i script• generic web: Review access logs for requests containing suspicious URL parameters or POST data that could be exploited for XSS.
grep -i 'script' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.73% (72% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-64538 is to upgrade to a patched version of Adobe Experience Manager. Adobe has released updates to address this vulnerability; refer to the official Adobe security advisory for specific version details. If immediate patching is not possible, consider implementing strict input validation and output encoding on all user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly scan your Experience Manager instance for vulnerabilities using automated security tools.
Aktualisieren Sie Adobe Experience Manager auf eine Version, die neuer als 6.5.23 ist. Dies behebt die DOM-basierte XSS-Schwachstelle. Weitere Details und spezifische Aktualisierungsanweisungen finden Sie in der Sicherheitsankündigung von Adobe.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-64538 is a critical DOM-based Cross-Site Scripting (XSS) vulnerability in Adobe Experience Manager versions 0–6.5.23, allowing attackers to inject malicious scripts and potentially take over user sessions.
If you are using Adobe Experience Manager versions 6.5.23 or earlier, you are potentially affected by this vulnerability. Check your version and upgrade as soon as possible.
Upgrade to a patched version of Adobe Experience Manager. Refer to the official Adobe security advisory for specific version details and patching instructions.
While no public exploits are currently known, the vulnerability's severity suggests a high probability of exploitation. Proactive patching is highly recommended.
Refer to the official Adobe Security Bulletin for details: [https://www.adobe.com/security/advisories/AdobeSecurityBulletin.htm](https://www.adobe.com/security/advisories/AdobeSecurityBulletin.htm)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.