{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-49547", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "state": "PUBLISHED", "assignerShortName": "adobe", "dateReserved": "2025-06-06T15:42:09.516Z", "datePublished": "2025-07-08T21:40:36.387Z", "dateUpdated": "2026-04-14T18:06:52.343Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Adobe Experience Manager", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "FP11.4", "status": "affected", "version": "0", "versionType": "semver"}]}], "datePublic": "2025-07-08T17:00:00.000Z", "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions FP11.4 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field. Scope is changed."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "environmentalScore": 5.4, "environmentalSeverity": "MEDIUM", "exploitCodeMaturity": "NOT_DEFINED", "integrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "NETWORK", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "LOW", "modifiedIntegrityImpact": "LOW", "modifiedPrivilegesRequired": "LOW", "modifiedScope": "CHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "CHANGED", "temporalScore": 5.4, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Cross-site Scripting (Stored XSS) (CWE-79)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T18:06:52.343Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://helpx.adobe.com/security/products/aem-screens/apsb25-68.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-09T13:25:20.555649Z", "id": "CVE-2025-49547", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-09T13:25:30.605Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-49547", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-09T13:25:20.555649Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-09T13:25:27.699Z"}}], "cna": {"title": "Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "modifiedScope": "CHANGED", "temporalScore": 5.4, "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "MEDIUM", "availabilityImpact": "NONE", "environmentalScore": 5.4, "privilegesRequired": "LOW", "exploitCodeMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NETWORK", "confidentialityImpact": "LOW", "environmentalSeverity": "MEDIUM", "availabilityRequirement": "NOT_DEFINED", "modifiedIntegrityImpact": "LOW", "modifiedUserInteraction": "REQUIRED", "modifiedAttackComplexity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAvailabilityImpact": "NONE", "modifiedPrivilegesRequired": "LOW", "modifiedConfidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Adobe", "product": "Adobe Experience Manager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "FP11.4"}], "defaultStatus": "affected"}], "datePublic": "2025-07-08T17:00:00.000Z", "references": [{"url": "https://helpx.adobe.com/security/products/aem-screens/apsb25-68.html", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions FP11.4 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field. Scope is changed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross-site Scripting (Stored XSS) (CWE-79)"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T18:06:52.343Z"}}}, "cveMetadata": {"cveId": "CVE-2025-49547", "state": "PUBLISHED", "dateUpdated": "2026-04-14T18:06:52.343Z", "dateReserved": "2025-06-06T15:42:09.516Z", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "datePublished": "2025-07-08T21:40:36.387Z", "assignerShortName": "adobe"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:experience_manager:6.5.22.0:fp11.4:*:*:-:*:*:*", "matchCriteriaId": "4074B32A-2D16-4466-A74D-429905EBE091", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions FP11.4 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field. Scope is changed."}, {"lang": "es", "value": "Las versiones 11.4 y anteriores de Adobe Experience Manager se ven afectadas por una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado que un atacante con pocos privilegios podr\u00eda aprovechar para inyectar scripts maliciosos en campos de formulario vulnerables. Es posible que se ejecute JavaScript malicioso en el navegador de la v\u00edctima al acceder a la p\u00e1gina que contiene el campo vulnerable. Se ha modificado el alcance."}], "id": "CVE-2025-49547", "lastModified": "2026-04-14T18:16:40.657", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "psirt@adobe.com", "type": "Secondary"}]}, "published": "2025-07-08T22:15:27.737", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/aem-screens/apsb25-68.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@adobe.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T16:22:49.193648+00:00", "value": {"mitigation_remediation": ["Apply the latest Adobe security update for Experience Manager that removes the stored XSS vulnerability.", "Validate and sanitize all user\u2011supplied input in form fields, ensuring that scripts cannot be stored or displayed.", "Implement output encoding and a strict Content Security Policy to restrict script execution in the browser."], "summary": {"action": "Apply Patch", "impact": "Stored XSS"}, "threat_synthesis": {"affected_systems": "The flaw exists in Adobe Experience Manager, versions FP11.4 and earlier. These releases include the Experience Manager product from Adobe and are used in web content management and digital experience applications.", "description_and_impact": "Adobe Experience Manager versions FP11.4 and earlier contain a stored Cross\u2011Site Scripting flaw. A low\u2011privileged attacker can inject malicious JavaScript into form fields, which will run in a victim\u2019s browser when the page is viewed. The affected code changes scope, allowing the bug to affect users beyond the immediate attacker, and can lead to data theft, session hijacking, or further web\u2011based attacks.", "risk_and_exploitability": "The CVSS score is 5.4 and the EPSS score is below 1\u202f%, indicating a moderate severity with a low probability of widespread exploitation. It is not listed in the CISA KEV catalog. The vulnerability is exploitable by any user that can submit data to the vulnerable form fields, implying a likely attack vector of web\u2011based form submission or manipulation. Because the scope is changed, an attacker could also impact users that view content rendered from those fields."}}}}, "created": "2025-07-13T21:46:53.380359+00:00", "updated": "2026-04-20T16:30:06.288297+00:00", "vendors": ["adobe", "adobe$PRODUCT$adobe_experience_manager"]}