Stored Cross-Site Scripting Vulnerabilities in Episerver CMS by Optimizely
CVE-2025-27801
4.6MEDIUM
What is CVE-2025-27801?
The Episerver Content Management System by Optimizely suffers from multiple Stored Cross-Site Scripting vulnerabilities. Authenticated attackers with the WebEditor role can exploit these vulnerabilities to upload SVG files containing malicious JavaScript code. When a user accesses the direct URL of the uploaded content, the malicious script is executed in their browser, potentially compromising sensitive information and user experience.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
Episerver Content Management System (CMS) 11.x < 11.21.4
Episerver Content Management System (CMS) 12.x < 12.22.1
References
CVSS V4
Score:
4.6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Kai Zimmermann, SEC Consult Vulnerability Lab
Felix Beie, SEC Consult Vulnerability Lab