PT-2025-31056 · Optimizely · Episerver.Cms.Core +2
F. Beie
+1
·
Published
2025-07-28
·
Updated
2025-07-29
·
CVE-2025-27800
4.8
Medium
| Base vector | Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
Episerver CMS versions prior to 11.21.4 and EPiServer.CMS.UI versions prior to 11.37.5
Episerver CMS versions prior to 12.22.1 and EPiServer.CMS.UI versions prior to 11.37.3
Description:
The Episerver Content Management System (CMS) by Optimizely is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. An authenticated attacker can execute malicious JavaScript code in the victim’s browser. The Admin dashboard allows adding gadgets, including a "Notes" gadget. An attacker with appropriate access rights can insert malicious JavaScript code into these notes, which will be executed when a victim views the dashboard.
Recommendations:
Update EPiServer.CMS.Core to version 11.21.4 or later.
Update EPiServer.CMS.UI to version 11.37.5 or later.
Update EPiServer.CMS.Core to version 12.22.1 or later.
Update EPiServer.CMS.UI to version 11.37.3 or later.
Fix
XSS
Weakness Enumeration
Related Identifiers
Affected Products
References · 10
- https://nvd.nist.gov/vuln/detail/CVE-2025-27800 · Security Note
- https://api.nuget.optimizely.com/packages/episerver.cms.core/11.21.4# · Patch
- https://support.optimizely.com/hc/en-us/articles/30886353301645-2025-Optimizely-CMS-11-PaaS-release-notes#h_01K09MR1SZS4FEAPD4478GQ0FR · Patch
- https://support.optimizely.com/hc/en-us/articles/37757063222029-2024-Optimizely-CMS-12-PaaS-release-notes#h_01JN4AZV48WKNADH3KWC2GYDS5 · Patch
- https://api.nuget.optimizely.com/packages/episerver.cms.core/12.22.1# · Patch
- https://twitter.com/VulmonFeeds/status/1949775421215473959 · Twitter Post
- https://t.me/CVEtracker/28545 · Telegram Post
- https://twitter.com/CVEnew/status/1949762895484477479 · Twitter Post
- https://r.sec-consult.com/optimizely · Note
- https://twitter.com/autumn_good_35/status/1950122869540655417 · Twitter Post