Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to manipulate XML queries and gain limited unauthorized write access.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 30 Sep 2025 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


Fri, 12 Sep 2025 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*
cpe:2.3:a:adobe:experience_manager:6.5:sp1:*:*:lts:*:*:*

Tue, 09 Sep 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe experience Manager
Vendors & Products Adobe
Adobe experience Manager

Tue, 09 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 09 Sep 2025 16:45:00 +0000

Type Values Removed Values Added
Description Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to manipulate XML queries and gain limited unauthorized write access.
Title Adobe Experience Manager | XML Injection (aka Blind XPath Injection) (CWE-91)
Weaknesses CWE-91
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2025-09-30T22:19:30.778Z

Reserved: 2025-07-17T21:15:02.454Z

Link: CVE-2025-54251

cve-icon Vulnrichment

Updated: 2025-09-09T16:48:45.957Z

cve-icon NVD

Status : Modified

Published: 2025-09-09T17:15:59.070

Modified: 2025-09-30T23:15:29.333

Link: CVE-2025-54251

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-09-09T21:31:07Z