Plataforma
adobe
Componente
adobe-experience-manager
Corrigido em
6.5.24
A DOM-based Cross-Site Scripting (XSS) vulnerability (CVE-2025-64539) has been identified in Adobe Experience Manager versions 6.5.23 and earlier. Successful exploitation allows an attacker to inject malicious scripts into a web page, which are then executed within the context of a victim's browser. This can lead to session takeover and compromise the confidentiality and integrity of sensitive data. The vulnerability was publicly disclosed on December 10, 2025.
This XSS vulnerability poses a significant threat because it allows attackers to execute arbitrary code within the user's browser. An attacker could leverage this to steal session cookies, hijack user accounts, and perform actions on behalf of the victim without their knowledge. The impact is amplified by the potential for session takeover, granting the attacker access to sensitive data and functionalities within the Adobe Experience Manager environment. The requirement for user interaction (visiting a malicious page) lowers the barrier to exploitation, as attackers can distribute crafted links through various channels like phishing emails or compromised websites.
The vulnerability is considered critical due to its potential for session takeover. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation. As of the publication date (December 10, 2025), there is no indication of active exploitation campaigns, but the vulnerability's severity warrants immediate attention. This vulnerability has not been added to the CISA KEV catalog.
Organizations heavily reliant on Adobe Experience Manager for content management and digital asset management are at significant risk. Specifically, deployments with custom components or integrations that handle user-supplied data without proper sanitization are particularly vulnerable. Shared hosting environments where multiple websites share the same Adobe Experience Manager instance also increase the attack surface.
• adobe: Monitor Adobe Experience Manager logs for unusual script execution patterns. Look for POST requests containing suspicious JavaScript code.
Get-WinEvent -LogName Application -FilterXPath "//*[System[Provider[@Name='Adobe Experience Manager']]]" | Where-Object {$_.Message -match "XSS"}• generic web: Inspect HTTP response headers for Content-Security-Policy directives. Verify that CSP is enabled and configured to restrict script sources.
curl -I https://example.com | grep Content-Security-Policy• generic web: Monitor web server access logs for requests containing suspicious URL parameters or POST data that could be indicative of XSS attempts.
disclosure
Status do Exploit
EPSS
0.73% (percentil 72%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-64539 is to upgrade to a patched version of Adobe Experience Manager. Adobe has not yet released a fixed version, so monitor Adobe's security advisories for updates. As a temporary workaround, consider implementing strict Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed. Input validation and output encoding on user-supplied data can also help reduce the attack surface. Regularly review and update your web application firewall (WAF) rules to detect and block malicious script injections.
Atualize o Adobe Experience Manager para uma versão posterior a 6.5.23. Consulte o boletim de segurança da Adobe para obter mais detalhes e instruções específicas sobre a atualização.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-64539 is a critical DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager versions 0–6.5.23, allowing attackers to inject malicious scripts.
If you are running Adobe Experience Manager versions 6.5.23 or earlier, you are potentially affected by this vulnerability. Check your version and apply the necessary patches.
Upgrade to a patched version of Adobe Experience Manager as soon as it becomes available. Monitor Adobe's security advisories for updates and implement temporary workarounds like CSP.
As of December 10, 2025, there is no confirmed active exploitation, but the vulnerability's severity warrants immediate action to prevent potential attacks.
Refer to the official Adobe Security Bulletin for CVE-2025-64539 on the Adobe Security Advisories website (adobe.com/security/advisories).
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.