Stored Cross-Site Scripting Vulnerability in Optimizely Content Management System
CVE-2025-27800

4.6MEDIUM

Key Information:

Vendor: Optimizely
Status: Episerver Content Management System (cms)
Vendor: CVE Published:; 28 July 2025

What is CVE-2025-27800?

The Episerver Content Management System by Optimizely is susceptible to Stored Cross-Site Scripting vulnerabilities, which could allow an authenticated attacker to inject and execute malicious JavaScript code in the browser of victims. This is facilitated through the Admin dashboard's gadget feature, particularly the 'Notes' gadget. If an attacker with sufficient privileges, such as 'WebAdmin', impersonates a victim, they can embed harmful scripts in notes that will be executed upon the victim's visit to the dashboard. This presents a significant security risk to users and their data.

Affected Version(s)

Episerver Content Management System (CMS) 11.x < 11.21.4

Episerver Content Management System (CMS) 12.x < 12.22.1

References

https://support.optimizely.com/hc/en-us/articles/30886353...

patch

https://support.optimizely.com/hc/en-us/articles/37757063...

patch

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 28, 2025
Vulnerability Reserved
Mar 7, 2025

Credit

Kai Zimmermann, SEC Consult Vulnerability Lab

Felix Beie, SEC Consult Vulnerability Lab