Vulners
Lucene search
Adobe Experience Manager 6.5 < 6.5 Multiple Vulnerabilities (APSB25-115)
| Reporter | Title | Published | Views | Family All 1099 |
|---|---|---|---|---|
 | CVE-2025-64537 | 10 Dec 202519:38 | – | circl |
| CVE-2025-64539 | 13 Dec 202501:39 | – | circl |
| CVE-2025-64541 | 13 Dec 202501:39 | – | circl |
| CVE-2025-64543 | 13 Dec 202501:39 | – | circl |
| CVE-2025-64545 | 10 Dec 202519:59 | – | circl |
| CVE-2025-64547 | 10 Dec 202519:44 | – | circl |
| CVE-2025-64548 | 10 Dec 202520:14 | – | circl |
| CVE-2025-64550 | 10 Dec 202520:24 | – | circl |
| CVE-2025-64553 | 10 Dec 202519:36 | – | circl |
| CVE-2025-64563 | 10 Dec 202519:52 | – | circl |
10
10
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(278346);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/30");
script_cve_id(
"CVE-2025-64537",
"CVE-2025-64539",
"CVE-2025-64541",
"CVE-2025-64542",
"CVE-2025-64543",
"CVE-2025-64544",
"CVE-2025-64545",
"CVE-2025-64546",
"CVE-2025-64547",
"CVE-2025-64548",
"CVE-2025-64549",
"CVE-2025-64550",
"CVE-2025-64551",
"CVE-2025-64552",
"CVE-2025-64553",
"CVE-2025-64554",
"CVE-2025-64555",
"CVE-2025-64556",
"CVE-2025-64557",
"CVE-2025-64558",
"CVE-2025-64559",
"CVE-2025-64560",
"CVE-2025-64562",
"CVE-2025-64563",
"CVE-2025-64564",
"CVE-2025-64565",
"CVE-2025-64569",
"CVE-2025-64572",
"CVE-2025-64574",
"CVE-2025-64575",
"CVE-2025-64576",
"CVE-2025-64577",
"CVE-2025-64578",
"CVE-2025-64579",
"CVE-2025-64580",
"CVE-2025-64581",
"CVE-2025-64582",
"CVE-2025-64583",
"CVE-2025-64585",
"CVE-2025-64586",
"CVE-2025-64590",
"CVE-2025-64591",
"CVE-2025-64592",
"CVE-2025-64593",
"CVE-2025-64594",
"CVE-2025-64596",
"CVE-2025-64597",
"CVE-2025-64598",
"CVE-2025-64599",
"CVE-2025-64600",
"CVE-2025-64601",
"CVE-2025-64602",
"CVE-2025-64603",
"CVE-2025-64604",
"CVE-2025-64605",
"CVE-2025-64606",
"CVE-2025-64607",
"CVE-2025-64609",
"CVE-2025-64610",
"CVE-2025-64611",
"CVE-2025-64612",
"CVE-2025-64614",
"CVE-2025-64615",
"CVE-2025-64616",
"CVE-2025-64619",
"CVE-2025-64620",
"CVE-2025-64622",
"CVE-2025-64623",
"CVE-2025-64626",
"CVE-2025-64627",
"CVE-2025-64789",
"CVE-2025-64790",
"CVE-2025-64791",
"CVE-2025-64792",
"CVE-2025-64793",
"CVE-2025-64794",
"CVE-2025-64796",
"CVE-2025-64797",
"CVE-2025-64799",
"CVE-2025-64800",
"CVE-2025-64801",
"CVE-2025-64802",
"CVE-2025-64803",
"CVE-2025-64804",
"CVE-2025-64808",
"CVE-2025-64814",
"CVE-2025-64817",
"CVE-2025-64820",
"CVE-2025-64821",
"CVE-2025-64822",
"CVE-2025-64823",
"CVE-2025-64825",
"CVE-2025-64826",
"CVE-2025-64827",
"CVE-2025-64829",
"CVE-2025-64833",
"CVE-2025-64839",
"CVE-2025-64840",
"CVE-2025-64841",
"CVE-2025-64845",
"CVE-2025-64847",
"CVE-2025-64850",
"CVE-2025-64852",
"CVE-2025-64853",
"CVE-2025-64857",
"CVE-2025-64858",
"CVE-2025-64860",
"CVE-2025-64861",
"CVE-2025-64863",
"CVE-2025-64869",
"CVE-2025-64872",
"CVE-2025-64873",
"CVE-2025-64875",
"CVE-2025-64881",
"CVE-2025-64887",
"CVE-2025-64888"
);
script_xref(name:"IAVA", value:"2025-A-0905-S");
script_name(english:"Adobe Experience Manager 6.5 < 6.5 Multiple Vulnerabilities (APSB25-115)");
script_set_attribute(attribute:"synopsis", value:
"The Adobe Experience Manager instance installed on the remote host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of Adobe Experience Manager installed on the remote host is prior to 6.5. It is, therefore, affected by
multiple vulnerabilities as referenced in the APSB25-115 advisory.
- Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting
(XSS) vulnerability that could lead to arbitrary code execution. An attacker could exploit this
vulnerability by injecting malicious scripts into a web page that are executed in the context of the
victim's browser. A successful attacker can abuse this to achieve session takeover, increasing the
confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that
a victim must visit a crafted malicious page. (CVE-2025-64537, CVE-2025-64539)
- Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS)
vulnerability that could be abused by a low privileged attacker to inject malicious scripts into
vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the
page containing the vulnerable field. (CVE-2025-64541, CVE-2025-64546, CVE-2025-64547, CVE-2025-64548,
CVE-2025-64549, CVE-2025-64553, CVE-2025-64554, CVE-2025-64555, CVE-2025-64556, CVE-2025-64557,
CVE-2025-64558, CVE-2025-64559, CVE-2025-64572, CVE-2025-64574, CVE-2025-64575, CVE-2025-64576,
CVE-2025-64577, CVE-2025-64578, CVE-2025-64579, CVE-2025-64580, CVE-2025-64581, CVE-2025-64582,
CVE-2025-64585, CVE-2025-64586, CVE-2025-64590, CVE-2025-64591, CVE-2025-64592, CVE-2025-64593,
CVE-2025-64594, CVE-2025-64596, CVE-2025-64597, CVE-2025-64598, CVE-2025-64599, CVE-2025-64600,
CVE-2025-64601, CVE-2025-64602, CVE-2025-64603, CVE-2025-64604, CVE-2025-64605, CVE-2025-64606,
CVE-2025-64607, CVE-2025-64609, CVE-2025-64611, CVE-2025-64612, CVE-2025-64614, CVE-2025-64615,
CVE-2025-64616, CVE-2025-64619, CVE-2025-64620, CVE-2025-64622, CVE-2025-64623, CVE-2025-64626,
CVE-2025-64627, CVE-2025-64789, CVE-2025-64790, CVE-2025-64791, CVE-2025-64792, CVE-2025-64793,
CVE-2025-64794, CVE-2025-64796, CVE-2025-64797, CVE-2025-64799, CVE-2025-64800, CVE-2025-64801,
CVE-2025-64802, CVE-2025-64803, CVE-2025-64804, CVE-2025-64808, CVE-2025-64814, CVE-2025-64817,
CVE-2025-64820, CVE-2025-64821, CVE-2025-64822, CVE-2025-64823, CVE-2025-64825, CVE-2025-64826,
CVE-2025-64827, CVE-2025-64829, CVE-2025-64833, CVE-2025-64839, CVE-2025-64840, CVE-2025-64841,
CVE-2025-64845, CVE-2025-64847, CVE-2025-64850, CVE-2025-64852, CVE-2025-64853, CVE-2025-64857,
CVE-2025-64858, CVE-2025-64861, CVE-2025-64863, CVE-2025-64869, CVE-2025-64873, CVE-2025-64875,
CVE-2025-64881)
- Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting
(XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in
the context of the victim's browser. Exploitation of this issue requires user interaction, such as
visiting a crafted URL or interacting with a manipulated web page. (CVE-2025-64543, CVE-2025-64544,
CVE-2025-64545, CVE-2025-64550, CVE-2025-64551, CVE-2025-64560, CVE-2025-64562, CVE-2025-64563,
CVE-2025-64564, CVE-2025-64565, CVE-2025-64569, CVE-2025-64583, CVE-2025-64887, CVE-2025-64888)
- Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS)
vulnerability that could be abused by a high privileged attacker to inject malicious scripts into
vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the
page containing the vulnerable field. (CVE-2025-64872)
- Cross-site Scripting (DOM-based XSS) (CWE-79) potentially leading to Arbitrary code execution
(CVE-2025-64542)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2c5842d4");
script_set_attribute(attribute:"solution", value:
"Upgrade to Adobe Experience Manager version 6.5 or later.");
script_set_attribute(attribute:"agent", value:"windows");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-64539");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(79);
script_set_attribute(attribute:"vuln_publication_date", value:"2025/12/09");
script_set_attribute(attribute:"patch_publication_date", value:"2025/12/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2025/12/11");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:experience_manager");
script_set_attribute(attribute:"generated_plugin", value:"former");
script_set_attribute(attribute:"stig_severity", value:"I");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("adobe_experience_manager_http_detect.nbin", "adobe_experience_manager_installed.nbin");
script_require_keys("installed_sw/Adobe Experience Manager");
exit(0);
}
include('vcf.inc');
var app_info = vcf::combined_get_app_info(app:'Adobe Experience Manager');
vcf::check_granularity(app_info:app_info, sig_segments:2);
var constraints = [
{'fixed_version' : '6.5.24'}
];
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE,
flags:{'xss':TRUE},
require_paranoia:TRUE # can't detect LTS or hotfixes
);
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Apr 2026 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.19.3
EPSS0.01139
SSVC