**Name of the Vulnerable Software and Affected Versions**

Adobe Experience Manager (MS) versions 6.5.23.0 and earlier

Adobe Experience Manager (AEM) Forms on JEE (affected versions not specified)

**Description**

The software is susceptible to a Deserialization of Untrusted Data issue. Successful exploitation of this issue does not require user interaction and could allow a remote attacker to execute arbitrary code. The vulnerability resides in the FormServer module, specifically within the `GetDocumentServlet` endpoint. The servlet processes user-supplied data, decoding and deserializing it without proper validation. An attacker can send malicious data, potentially encoded in Base64 and compressed with gzip, to execute commands on the server. The API endpoint `/FormServer/servlet/GetDocumentServlet` is used to deliver the malicious payload. The vulnerable parameter is `serDoc`. A Python server can be used to emulate the deserialization process, demonstrating how a crafted payload can lead to Remote Code Execution (RCE).

**Recommendations**

Update Adobe Experience Manager to a version later than 6.5.23.0.

Update Adobe AEM Forms on JEE to a newer version that addresses this issue.