Plataforma
adobe
Componente
adobe-experience-manager
Corrigido em
6.5.24
CVE-2025-64538 is a DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager versions 6.5.23 and earlier. This vulnerability allows an attacker to inject malicious scripts into a web page, which are then executed within the context of a victim's browser. While exploitation requires user interaction (visiting a crafted page), the potential impact is severe, including session takeover and data breaches. Adobe has released updates to address this issue.
The primary impact of CVE-2025-64538 is the potential for arbitrary code execution within the victim's browser. An attacker can leverage this to steal session cookies, redirect users to malicious websites, or deface the website. The vulnerability’s DOM-based nature means that the attacker doesn't necessarily need to control the entire page, only a specific element. This makes it easier to exploit than traditional XSS vulnerabilities. The ability to achieve session takeover significantly increases the confidentiality and integrity impact, as an attacker can impersonate legitimate users and access sensitive data. The blast radius extends to any user who interacts with a page containing the injected script.
CVE-2025-64538 was publicly disclosed on December 10, 2025. While no public proof-of-concept (PoC) code has been released at the time of writing, the vulnerability's nature and severity suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog. The potential for session takeover makes this a high-priority vulnerability to address.
Organizations heavily reliant on Adobe Experience Manager for content management and digital experiences are at significant risk. Specifically, deployments with custom components or integrations that handle user-supplied data without proper sanitization are particularly vulnerable. Shared hosting environments where multiple websites share the same Experience Manager instance also increase the attack surface.
• adobe: Monitor Experience Manager logs for unusual script execution patterns or attempts to access sensitive data.
Get-WinEvent -LogName Application -FilterXPath "//*[System[Provider[@Name='Adobe Experience Manager']]]" | Where-Object {$_.Message -match "XSS"}• generic web: Inspect HTTP response headers for unexpected script tags or unusual content.
curl -I https://example.com/ | grep -i script• generic web: Review access logs for requests containing suspicious URL parameters or POST data that could be exploited for XSS.
grep -i 'script' /var/log/apache2/access.logdisclosure
Status do Exploit
EPSS
0.73% (percentil 72%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-64538 is to upgrade to a patched version of Adobe Experience Manager. Adobe has released updates to address this vulnerability; refer to the official Adobe security advisory for specific version details. If immediate patching is not possible, consider implementing strict input validation and output encoding on all user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly scan your Experience Manager instance for vulnerabilities using automated security tools.
Atualize o Adobe Experience Manager para uma versão posterior a 6.5.23. Isso corrigirá a vulnerabilidade XSS baseada em DOM. Consulte o aviso de segurança da Adobe para obter mais detalhes e instruções específicas de atualização.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-64538 is a critical DOM-based Cross-Site Scripting (XSS) vulnerability in Adobe Experience Manager versions 0–6.5.23, allowing attackers to inject malicious scripts and potentially take over user sessions.
If you are using Adobe Experience Manager versions 6.5.23 or earlier, you are potentially affected by this vulnerability. Check your version and upgrade as soon as possible.
Upgrade to a patched version of Adobe Experience Manager. Refer to the official Adobe security advisory for specific version details and patching instructions.
While no public exploits are currently known, the vulnerability's severity suggests a high probability of exploitation. Proactive patching is highly recommended.
Refer to the official Adobe Security Bulletin for details: [https://www.adobe.com/security/advisories/AdobeSecurityBulletin.htm](https://www.adobe.com/security/advisories/AdobeSecurityBulletin.htm)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.