{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27800", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "state": "PUBLISHED", "assignerShortName": "SEC-VLab", "dateReserved": "2025-03-07T06:46:34.308Z", "datePublished": "2025-07-28T08:33:24.304Z", "dateUpdated": "2025-07-29T09:36:10.631Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["EPiServer.CMS.Core"], "product": "Episerver Content Management System (CMS)", "vendor": "Optimizely", "versions": [{"lessThan": "11.21.4", "status": "affected", "version": "11.x", "versionType": "custom"}, {"lessThan": "12.22.1", "status": "affected", "version": "12.x", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Kai Zimmermann, SEC Consult Vulnerability Lab"}, {"lang": "en", "type": "finder", "value": "Felix Beie, SEC Consult Vulnerability Lab"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser.<br>\n\n</span><br>The Admin dashboard offered the functionality to add gadgets to the dashboard.\nThis included the \"Notes\" gadget. An authenticated attacker with the corresponding\naccess rights (such as \"WebAdmin\") that was impersonating the victim could insert\nmalicious JavaScript code in these notes that would be executed if the victim\nvisited the dashboard.<br><br>Affected products: Version 11.X: EPiServer.CMS.Core (&lt;11.21.4) with EPiServer.CMS.UI (&lt;11.37.5), Version 12.X: EPiServer.CMS.Core (&lt;12.22.1) with EPiServer.CMS.UI (&lt;11.37.3)<br>\n\n<br>"}], "value": "The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser.\n\n\n\nThe Admin dashboard offered the functionality to add gadgets to the dashboard.\nThis included the \"Notes\" gadget. An authenticated attacker with the corresponding\naccess rights (such as \"WebAdmin\") that was impersonating the victim could insert\nmalicious JavaScript code in these notes that would be executed if the victim\nvisited the dashboard.\n\nAffected products: Version 11.X: EPiServer.CMS.Core (<11.21.4) with EPiServer.CMS.UI (<11.37.5), Version 12.X: EPiServer.CMS.Core (<12.22.1) with EPiServer.CMS.UI (<11.37.3)"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 4.8, "baseSeverity": "MEDIUM", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2025-07-29T09:36:10.631Z"}, "references": [{"tags": ["patch"], "url": "https://api.nuget.optimizely.com/packages/episerver.cms.core/11.21.4#"}, {"tags": ["patch"], "url": "https://api.nuget.optimizely.com/packages/episerver.cms.core/12.22.1#"}, {"tags": ["third-party-advisory"], "url": "https://r.sec-consult.com/optimizely"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The vendor already provides a security patch (updated packages) which should be \ninstalled immediately.<br>\n\n<br>"}], "value": "The vendor already provides a security patch (updated packages) which should be \ninstalled immediately."}], "source": {"discovery": "UNKNOWN"}, "title": "Stored Cross-Site Scripting in Episerver Content Management System (CMS) Admin Dashboard", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-28T16:53:49.798098Z", "id": "CVE-2025-27800", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-28T16:54:13.180Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27800", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-28T16:53:49.798098Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-28T16:53:57.236Z"}}], "cna": {"title": "Stored Cross-Site Scripting in Episerver Content Management System (CMS) Admin Dashboard", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Kai Zimmermann, SEC Consult Vulnerability Lab"}, {"lang": "en", "type": "finder", "value": "Felix Beie, SEC Consult Vulnerability Lab"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Optimizely", "modules": ["EPiServer.CMS.Core"], "product": "Episerver Content Management System (CMS)", "versions": [{"status": "affected", "version": "11.x", "lessThan": "11.21.4", "versionType": "custom"}, {"status": "affected", "version": "12.x", "lessThan": "12.22.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The vendor already provides a security patch (updated packages) which should be \ninstalled immediately.", "supportingMedia": [{"type": "text/html", "value": "The vendor already provides a security patch (updated packages) which should be \ninstalled immediately.<br>\n\n<br>", "base64": false}]}], "references": [{"url": "https://api.nuget.optimizely.com/packages/episerver.cms.core/11.21.4#", "tags": ["patch"]}, {"url": "https://api.nuget.optimizely.com/packages/episerver.cms.core/12.22.1#", "tags": ["patch"]}, {"url": "https://r.sec-consult.com/optimizely", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser.\n\n\n\nThe Admin dashboard offered the functionality to add gadgets to the dashboard.\nThis included the \"Notes\" gadget. An authenticated attacker with the corresponding\naccess rights (such as \"WebAdmin\") that was impersonating the victim could insert\nmalicious JavaScript code in these notes that would be executed if the victim\nvisited the dashboard.\n\nAffected products: Version 11.X: EPiServer.CMS.Core (<11.21.4) with EPiServer.CMS.UI (<11.37.5), Version 12.X: EPiServer.CMS.Core (<12.22.1) with EPiServer.CMS.UI (<11.37.3)", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser.<br>\n\n</span><br>The Admin dashboard offered the functionality to add gadgets to the dashboard.\nThis included the \"Notes\" gadget. An authenticated attacker with the corresponding\naccess rights (such as \"WebAdmin\") that was impersonating the victim could insert\nmalicious JavaScript code in these notes that would be executed if the victim\nvisited the dashboard.<br><br>Affected products: Version 11.X: EPiServer.CMS.Core (&lt;11.21.4) with EPiServer.CMS.UI (&lt;11.37.5), Version 12.X: EPiServer.CMS.Core (&lt;12.22.1) with EPiServer.CMS.UI (&lt;11.37.3)<br>\n\n<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2025-07-29T09:36:10.631Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27800", "state": "PUBLISHED", "dateUpdated": "2025-07-29T09:36:10.631Z", "dateReserved": "2025-03-07T06:46:34.308Z", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "datePublished": "2025-07-28T08:33:24.304Z", "assignerShortName": "SEC-VLab"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser.\n\n\n\nThe Admin dashboard offered the functionality to add gadgets to the dashboard.\nThis included the \"Notes\" gadget. An authenticated attacker with the corresponding\naccess rights (such as \"WebAdmin\") that was impersonating the victim could insert\nmalicious JavaScript code in these notes that would be executed if the victim\nvisited the dashboard.\n\nAffected products: Version 11.X: EPiServer.CMS.Core (<11.21.4) with EPiServer.CMS.UI (<11.37.5), Version 12.X: EPiServer.CMS.Core (<12.22.1) with EPiServer.CMS.UI (<11.37.3)"}, {"lang": "es", "value": "Episerver Content Management System (CMS) by Optimizely se vio afectado por m\u00faltiples vulnerabilidades de Cross-Site Scripting (XSS) almacenado. Esto permiti\u00f3 que un atacante autenticado ejecutara c\u00f3digo JavaScript malicioso en el navegador de la v\u00edctima. El panel de administraci\u00f3n permit\u00eda a\u00f1adir gadgets, incluido el gadget \"Notes\". Un atacante autenticado con los permisos de acceso correspondientes (como \"WebAdmin\") que se hiciera pasar por la v\u00edctima pod\u00eda insertar c\u00f3digo JavaScript malicioso en estas notas, que se ejecutar\u00eda si la v\u00edctima visitaba el panel. Productos afectados: Versi\u00f3n 11.X: EPiServer.CMS.Core (&lt;11.21.4) con EPiServer.CMS.UI (&lt;11.37.5), Versi\u00f3n 12.X: EPiServer.CMS.Core (&lt;12.22.1) con EPiServer.CMS.UI (&lt;11.37.3)."}], "id": "CVE-2025-27800", "lastModified": "2025-07-29T14:14:29.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary"}]}, "published": "2025-07-28T09:15:34.387", "references": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "url": "https://api.nuget.optimizely.com/packages/episerver.cms.core/11.21.4#"}, {"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "url": "https://api.nuget.optimizely.com/packages/episerver.cms.core/12.22.1#"}, {"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "url": "https://r.sec-consult.com/optimizely"}], "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary"}]}

{}