Adobe Experience Manager versions 6.5.23 and earlier contain a stored Cross‑Site Scripting (XSS) vulnerability. A low‑privileged attacker can insert malicious JavaScript into certain form fields. When a victim’s browser renders the page containing the stored input, the script runs in the victim’s context, potentially allowing cookie theft, session hijacking, defacement, or the delivery of malware. The weakness is a classic Stored XSS (CWE‑79). Based on the description, it is inferred that the attack occurs when the victim views the page that displays the compromised form input.

Affected systems are Adobe Experience Manager deployments running version 6.5.23 or earlier (including earlier 6.5.x releases). The advisory lists the following CPEs: cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:*; cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*; and the SP1 variant. Commercial cloud instances (aem_cloud_service) are also included. All deployments of these versions are impacted.

The CVSS v3 score of 5.4 indicates moderate severity. EPSS shows less than 1% chance of exploitation in the near term, and the vulnerability is not included in CISA’s Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that an attacker only needs the ability to submit form data through the web UI and does not require privileged access. The risk is therefore limited to users who view the affected content, but a successful exploit could compromise user session data and application integrity.