The vulnerability is a stored Cross‑Site Scripting (XSS) flaw in Adobe Experience Manager that allows a low‑privileged attacker to inject malicious JavaScript into form fields. Key detail from vendor description: 'Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross‑Site Scripting (XSS) vulnerability that could be abused by a low‑privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.' The impact is execution of arbitrary script in the victim’s browser when they access the affected page, potentially leading to client‑side attacks such as phishing or defacement.

Affected systems are Adobe Experience Manager versions 6.5.23 and earlier, including the long‑term support (LTS) releases 6.5 and 6.5 sp1 LTS. The CNA product list and associated CPE strings indicate the flaw exists across the generic AEM product, the AEM Cloud Service, and the specified LTS releases. No other vendors or products are listed as affected.

The CVSS score of 5.4 indicates moderate severity. The EPSS score is less than 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Key detail from vendor description: the flaw requires an attacker to submit input to a vulnerable form field, meaning the attack vector is via user input. Because the injection is persisted, an attacker only needs a victim to visit a page containing the malicious script for execution to occur. No additional conditions are required beyond the presence of the vulnerable form field.