Key detail from vendor description: 'Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross‑Site Scripting (XSS) vulnerability that could be abused by a low‑privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.' The vulnerability is a stored XSS, defined by CWE‑79, that allows an attacker who can write to a form to store arbitrary JavaScript in the backend. When a victim loads the page that displays the stored data, the browser executes the injected code, which can compromise the victim’s confidentiality, integrity, or availability by stealing session cookies, credentials, or defacing the site.

The affected product is Adobe Experience Manager. Versions 6.5.23 and all earlier releases are vulnerable, as specified in the vendor description. The Common Platform Enumeration list includes entries for 'cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*' and the cloud service deployment, confirming that the issue applies to the base 6.5 package, the 6.5 Service Pack 1 build, and the cloud service. No specific patch version is mentioned in the input, so administrators should refer to Adobe’s security advisory for any patch releases.

The CVSS score of 5.4 indicates a medium severity flaw, while the EPSS score of <1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack requires write access to a vulnerable form field, typically achievable by a low‑privileged user with form submission rights. Once the malicious script is stored, any user who loads the affected page is exposed, making the exploitation path straightforward but limited to users who view the page.