CVE-2025-27802
MEDIUMOptimizely Episerver CMS 11.x < 11.21.4 and 12.x < 12.22.1 - Authenticated Stored Cross-Site Scripting in RTE Properties
Title source: llmDescription
The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser. RTE properties (text fields), which could be used in the "Edit" section of the CMS, allowed the input of arbitrary text. It was possible to input malicious JavaScript code in these properties that would be executed if a user visits the previewed page. Attackers needed at least the role "WebEditor" in order to exploit this issue. Affected products: Version 11.X: EPiServer.CMS.Core (<11.21.4) with EPiServer.CMS.UI (<11.37.5), Version 12.X: EPiServer.CMS.Core (<12.22.1) with EPiServer.CMS.UI (<11.37.3)
References (4)
Core 4
Core References
Mailing List
http://seclists.org/fulldisclosure/2025/Aug/18
Various Sources patch
https://api.nuget.optimizely.com/packages/episerver.cms.core/11.21.4#
Various Sources patch
https://api.nuget.optimizely.com/packages/episerver.cms.core/12.22.1#
Various Sources third-party-advisory
https://r.sec-consult.com/optimizely
Scores
CVSS v3
4.8
EPSS
0.0033
EPSS Percentile
24.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
Optimizely/Episerver Content Management System (CMS)
11.x - 11.21.4
Optimizely/Episerver Content Management System (CMS)
12.x - 12.22.1
Published
Jul 28, 2025
Tracked Since
Feb 18, 2026