Stored Cross-Site Scripting Vulnerability in Optimizely Content Management System
CVE-2025-27800

4.8MEDIUM

Key Information:

Vendor

Optimizely

Status
Episerver Content Management System (cms)
Vendor
CVE Published:
28 July 2025

What is CVE-2025-27800?

The Episerver Content Management System by Optimizely is susceptible to Stored Cross-Site Scripting vulnerabilities, which could allow an authenticated attacker to inject and execute malicious JavaScript code in the browser of victims. This is facilitated through the Admin dashboard's gadget feature, particularly the 'Notes' gadget. If an attacker with sufficient privileges, such as 'WebAdmin', impersonates a victim, they can embed harmful scripts in notes that will be executed upon the victim's visit to the dashboard. This presents a significant security risk to users and their data.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Episerver Content Management System (CMS) 11.x < 11.21.4

Episerver Content Management System (CMS) 12.x < 12.22.1

References

https://api.nuget.optimizely.com/packages/episerver.cms.c...
patch
https://api.nuget.optimizely.com/packages/episerver.cms.c...
patch
https://r.sec-consult.com/optimizely
third-party-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kai Zimmermann, SEC Consult Vulnerability Lab
Felix Beie, SEC Consult Vulnerability Lab
JSON
.