Primary

Context

Adobe Experience Manager Improper Restriction of XML External Entity Reference Vulnerability Allowing Arbitrary File System Read

Vulnerability

Patched

A vulnerability allowing improper restriction of XML external entity references (XXE) has been identified in Adobe Experience Manager (AEM) Forms on Java Enterprise Edition (JEE) versions 6.5.23.0 and earlier. This XXE vulnerability could be exploited to read arbitrary files from the local file system, potentially allowing access to sensitive information. The exploitation of this vulnerability does not require user interaction.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the local file system.

Remediation

Users are advised to update to Adobe Experience Manager (AEM) Forms on JEE version 6.5.0-0108. Update instructions are available on the Adobe Experience League website.

Added: Aug 5, 2025, 5:22 PM

Updated: Aug 5, 2025, 5:22 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

3.3

exploitability

7.4

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

3.3

exploitability

7.4

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Adobe Experience Manager Improper Restriction of XML External Entity Reference Vulnerability Allowing Arbitrary File System Read

Vulnerability

Impact

Remediation

Affected Products

Adobe Experience Manager Forms

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating