Adobe Experience Manager: Malicious Scripts Can Be Injected

Summary

A security issue in Adobe Experience Manager versions 6.5.23 and earlier allows a malicious user to inject harmful code that can run in a visitor's browser when they visit a webpage. This can be done by targeting a specific form field on a vulnerable site. To stay safe, update to a fixed version of Adobe Experience Manager.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
adobe	experience_manager	<= 6.5.24.0	–
adobe	experience_manager	<= 2026.2.0	–
adobe	experience_manager	6.5	–
adobe	experience_manager	6.5	–

Original title

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts ...

Original description

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

nvd CVSS3.1 5.4

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://helpx.adobe.com/security/products/experience-manager/apsb26-24.html