logo_clicknbuy.png

CVE-2025-27800 – “Optimizely Episerver Stored Cross-Site Scripting Vulnerability”

The following table lists the changes that have been made to the
CVE-2025-27800 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.

  • CVE Modified
    by 551230f0-3615-47bd-b7cc-93e92e730bbf

    Jul. 28, 2025

    Action Type Old Value New Value
    Added CVSS V4.0 AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Removed CVSS V4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • New CVE Received
    by 551230f0-3615-47bd-b7cc-93e92e730bbf

    Jul. 28, 2025

    Action Type Old Value New Value
    Added Description The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim’s browser.

    The Admin dashboard offered the functionality to add gadgets to the dashboard.
    This included the “Notes” gadget. An authenticated attacker with the corresponding
    access rights (such as “WebAdmin”) that was impersonating the victim could insert
    malicious JavaScript code in these notes that would be executed if the victim
    visited the dashboard.

    Affected products: Version 11.X: EPiServer.CMS.Core (<11.21.4) with EPiServer.CMS.UI (<11.37.5), Version 12.X: EPiServer.CMS.Core (<12.22.1) with EPiServer.CMS.UI (<11.37.3)
    Added CVSS V4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Added CVSS V3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
    Added CWE CWE-79
    Added Reference https://support.optimizely.com/hc/en-us/articles/30886353301645-2025-Optimizely-CMS-11-PaaS-release-notes#h_01K09MR1SZS4FEAPD4478GQ0FR
    Added Reference https://support.optimizely.com/hc/en-us/articles/37757063222029-2024-Optimizely-CMS-12-PaaS-release-notes#h_01JN4AZV48WKNADH3KWC2GYDS5
Share the Post:

Related Posts