CVE-2025-54254

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

A

dobe Experience Manager versions 6.5.23 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the local file system, scope is changed. Exploitation of this issue does not require user interaction.

References

Link	Resource
https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:adobe:experience_manager_forms:*:*:*:*:*:*:*:*

History

02 Oct 2025, 19:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-05 17:15

Updated : 2025-10-02 19:17

NVD link : CVE-2025-54254

Mitre link : CVE-2025-54254

CVE.ORG link : CVE-2025-54254

JSON object : View

Products Affected

experience_manager_forms

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2025-54254", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}]}, "published": "2025-08-05T17:15:29.460", "references": [{"url": "https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions 6.5.23 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the local file system, scope is changed. Exploitation of this issue does not require user interaction."}, {"lang": "es", "value": "Las versiones 6.5.23 y anteriores de Adobe Experience Manager se ven afectadas por una vulnerabilidad de restricci\u00f3n incorrecta de referencias a entidades externas XML ('XXE'), que podr\u00eda provocar lecturas arbitrarias del sistema de archivos. Un atacante podr\u00eda aprovechar esta vulnerabilidad para acceder a archivos confidenciales del sistema de archivos local. Para aprovechar este problema, no se requiere la intervenci\u00f3n del usuario."}], "lastModified": "2025-10-02T19:17:17.147", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:adobe:experience_manager_forms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1449BBE4-7484-4972-8D04-BEC04C159F44", "versionEndIncluding": "6.5.23.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}