PT-2025-31056 · Optimizely · Episerver.Cms.Core+2
F. Beie
+1
·
Published
2025-07-28
·
Updated
2025-07-29
·
CVE-2025-27800
CVSS v4.0
4.8
Medium
| Vector | AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
Episerver CMS versions prior to 11.21.4 and EPiServer.CMS.UI versions prior to 11.37.5
Episerver CMS versions prior to 12.22.1 and EPiServer.CMS.UI versions prior to 11.37.3
Description
The Episerver Content Management System (CMS) by Optimizely is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. An authenticated attacker can execute malicious JavaScript code in the victim’s browser. The Admin dashboard allows adding gadgets, including a "Notes" gadget. An attacker with appropriate access rights can insert malicious JavaScript code into these notes, which will be executed when a victim views the dashboard.
Recommendations
Update EPiServer.CMS.Core to version 11.21.4 or later.
Update EPiServer.CMS.UI to version 11.37.5 or later.
Update EPiServer.CMS.Core to version 12.22.1 or later.
Update EPiServer.CMS.UI to version 11.37.3 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Episerver.Cms.Core
Episerver.Cms.Ui
Episerver Cms