CVE-2025-54254

Adobe Experience Manager versions 6.5.23 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the local file system. Exploitation of this issue does not require user interaction.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:adobe:experience_manager_forms:*:*:*:*:*:*:*:*

History

13 Aug 2025, 18:54

Type	Values Removed	Values Added
CPE		cpe:2.3:a:adobe:experience_manager_forms::::::::
First Time		Adobe Adobe experience Manager Forms
Summary		(es) Las versiones 6.5.23 y anteriores de Adobe Experience Manager se ven afectadas por una vulnerabilidad de restricción incorrecta de referencias a entidades externas XML ('XXE'), que podría provocar lecturas arbitrarias del sistema de archivos. Un atacante podría aprovechar esta vulnerabilidad para acceder a archivos confidenciales del sistema de archivos local. Para aprovechar este problema, no se requiere la intervención del usuario.
References	~~() https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html -~~	() https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html - Vendor Advisory

05 Aug 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-05 17:15

Updated : 2025-08-13 18:54

NVD link : CVE-2025-54254

Mitre link : CVE-2025-54254

CVE.ORG link : CVE-2025-54254

JSON object : View

Products Affected

adobe

experience_manager_forms

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2025-54254", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@adobe.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-08-05T17:15:29.460", "references": [{"url": "https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html", "tags": ["Vendor Advisory"], "source": "psirt@adobe.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "psirt@adobe.com", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions 6.5.23 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the local file system. Exploitation of this issue does not require user interaction."}, {"lang": "es", "value": "Las versiones 6.5.23 y anteriores de Adobe Experience Manager se ven afectadas por una vulnerabilidad de restricci\u00f3n incorrecta de referencias a entidades externas XML ('XXE'), que podr\u00eda provocar lecturas arbitrarias del sistema de archivos. Un atacante podr\u00eda aprovechar esta vulnerabilidad para acceder a archivos confidenciales del sistema de archivos local. Para aprovechar este problema, no se requiere la intervenci\u00f3n del usuario."}], "lastModified": "2025-08-13T18:54:27.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:adobe:experience_manager_forms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1449BBE4-7484-4972-8D04-BEC04C159F44", "versionEndIncluding": "6.5.23.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@adobe.com"}