{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-49534", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "state": "PUBLISHED", "assignerShortName": "adobe", "dateReserved": "2025-06-06T15:42:09.514Z", "datePublished": "2025-07-08T21:40:35.588Z", "dateUpdated": "2026-04-14T18:08:45.505Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Adobe Experience Manager", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "FP11.4", "status": "affected", "version": "0", "versionType": "semver"}]}], "datePublic": "2025-07-08T17:00:00.000Z", "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions FP11.4 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field. Scope is changed."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "environmentalScore": 5.4, "environmentalSeverity": "MEDIUM", "exploitCodeMaturity": "NOT_DEFINED", "integrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "LOW", "modifiedIntegrityImpact": "LOW", "modifiedPrivilegesRequired": "LOW", "modifiedScope": "CHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "CHANGED", "temporalScore": 5.4, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Cross-site Scripting (Stored XSS) (CWE-79)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T18:08:45.505Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://helpx.adobe.com/security/products/aem-screens/apsb25-68.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-09T13:26:12.903678Z", "id": "CVE-2025-49534", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-09T13:26:22.745Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-49534", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-09T13:26:12.903678Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-09T13:26:18.709Z"}}], "cna": {"title": "Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "modifiedScope": "CHANGED", "temporalScore": 5.4, "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "MEDIUM", "availabilityImpact": "NONE", "environmentalScore": 5.4, "privilegesRequired": "LOW", "exploitCodeMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NETWORK", "confidentialityImpact": "LOW", "environmentalSeverity": "MEDIUM", "availabilityRequirement": "NOT_DEFINED", "modifiedIntegrityImpact": "LOW", "modifiedUserInteraction": "REQUIRED", "modifiedAttackComplexity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAvailabilityImpact": "NONE", "modifiedPrivilegesRequired": "LOW", "modifiedConfidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Adobe", "product": "Adobe Experience Manager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "FP11.4"}], "defaultStatus": "affected"}], "datePublic": "2025-07-08T17:00:00.000Z", "references": [{"url": "https://helpx.adobe.com/security/products/aem-screens/apsb25-68.html", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions FP11.4 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field. Scope is changed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross-site Scripting (Stored XSS) (CWE-79)"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T18:08:45.505Z"}}}, "cveMetadata": {"cveId": "CVE-2025-49534", "state": "PUBLISHED", "dateUpdated": "2026-04-14T18:08:45.505Z", "dateReserved": "2025-06-06T15:42:09.514Z", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "datePublished": "2025-07-08T21:40:35.588Z", "assignerShortName": "adobe"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:experience_manager:6.5.22.0:fp11.4:*:*:-:*:*:*", "matchCriteriaId": "4074B32A-2D16-4466-A74D-429905EBE091", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions FP11.4 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field. Scope is changed."}, {"lang": "es", "value": "Las versiones 11.4 y anteriores de Adobe Experience Manager se ven afectadas por una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado que un atacante con pocos privilegios podr\u00eda aprovechar para inyectar scripts maliciosos en campos de formulario vulnerables. Es posible que se ejecute JavaScript malicioso en el navegador de la v\u00edctima al acceder a la p\u00e1gina que contiene el campo vulnerable. Se ha modificado el alcance."}], "id": "CVE-2025-49534", "lastModified": "2026-04-14T18:16:40.453", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "psirt@adobe.com", "type": "Secondary"}]}, "published": "2025-07-08T22:15:27.587", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/aem-screens/apsb25-68.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@adobe.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T18:09:25.887212+00:00", "value": {"mitigation_remediation": ["Apply the latest Adobe Experience Manager patch or upgrade to a version newer than FP11.4 to remove the stored XSS flaw.", "Disable or remove custom form fields that accept user\u2011supplied input to prevent malicious script injection on sites where an immediate upgrade is not possible.", "Implement strict input validation and output encoding on any remaining form fields to ensure that injected content is sanitized before rendering.", "Configure a Content Security Policy to restrict script execution on AEM pages, providing an additional layer of defense against any residual XSS vectors."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Adobe Experience Manager is affected by this flaw, specifically all releases within the FP11.4 maintenance branch and earlier. The vulnerability applies to the version identified by the CPE string although that is omitted here; the key point is that any installation on or before FP11.4 is susceptible.", "description_and_impact": "A low\u2011privileged attacker can insert malicious JavaScript into specific form fields within Adobe Experience Manager, creating a stored Cross\u2011Site Scripting (XSS) flaw. When a victim visits a page that contains the injected script, the code executes in the victim\u2019s browser, potentially allowing the attacker to hijack sessions, deface content, or exfiltrate data. The description notes that the vulnerability\u2019s scope is changed, implying that the impact may extend beyond the affected field to other components or user interactions.", "risk_and_exploitability": "The CVSS score of 5.4 places this issue in the moderate severity range, and the EPSS score of < 1% indicates a low probability of exploitation in the near term. It is not listed in CISA\u2019s KEV catalog. The likely attack vector is the web application, where an attacker with modest privileges submits data to vulnerable form fields that is subsequently rendered without proper sanitization. Because script execution occurs client\u2011side, an attacker can perform session hijacking or phishing attacks based on the user\u2019s context."}}}}, "created": "2025-07-13T21:46:59.312416+00:00", "updated": "2026-04-20T18:15:13.616406+00:00", "vendors": ["adobe", "adobe$PRODUCT$adobe_experience_manager"]}