Adobe Experience Manager versions 6.5.23 and earlier contain a stored Cross‑Site Scripting (XSS) vulnerability that allows an attacker to inject malicious JavaScript into form fields. Key detail from vendor description: "Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field." This flaw permits arbitrary script execution in the context of the victim’s browser; it does not provide direct system compromise but can lead to session hijacking or data theft if the victim is authenticated.

The vulnerable products are Adobe Experience Manager on‑premises builds 6.5 (prior to 6.5.24) and the corresponding SP1 release. The cloud‑based Adobe Experience Manager Cloud Service is also affected as indicated by the CPE data. No specific patch level is listed, but the vulnerability affects any service running a 6.5 version equal to or older than 6.5.23.

The CVSS v3 score of 5.4 indicates moderate severity. EPSS score of less than 1% shows a very low probability of exploitation in the wild, and the vulnerability is not included in the CISA KEV catalog. Attackers need only supply malicious content via a form that is stored and rendered to users; the script executes when the affected page is viewed. The risk is therefore limited to users who can view the compromised content and is mitigated by applying a patch.