Confidentiality class: Internal & Partner

SEC Consult Vulnerability Lab Security Advisory < publishing date 20250728-0 >
=======================================================================
              title: Multiple Stored Cross-Site Scripting Vulnerabilities
            product: Optimizely Episerver Content Management System (EPiServer.CMS.Core)
 vulnerable version: Version 11.X: <11.21.4
                     Version 12.X: <12.22.1
      fixed version: Version 11.X: 11.21.4
                     Version 12.X: 12.22.1
         CVE number: CVE-2025-27800, CVE-2025-27801, CVE-2025-27802
             impact: medium
           homepage: https://www.optimizely.com
              found: 2024-04-25
                 by: Kai Zimmermann (Office Frankfurt)
                     Felix Beie (Office Fürth)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult, an Eviden business
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Optimizely Content Management System equips marketers and developers with a modern,
fully composable suite of user-friendly tools. Deliver impactful experiences across
any channel, and personalize with AI-driven insights."

Source: https://www.optimizely.com/products/content-management/


Business recommendation:
------------------------
The vendor already provides a security patch (updated packages) which should be
installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product
conducted by security professionals to identify and resolve potential further
security issues.



Vulnerability overview/description:
-----------------------------------
1) Stored Cross-Site Scripting in Admin Dashboard (CVE-2025-27800)
The Admin dashboard offered the functionality to add gadgets to the dashboard.
This included the "Notes" gadget. An authenticated attacker with the corresponding
access rights (such as "WebAdmin") that was impersonating the victim could insert
malicious JavaScript code in these notes that would be executed if the victim
visited the dashboard.

2) Stored Cross-Site Scripting in Media Selection Preview (CVE-2025-27801)
ContentReference properties, which could be used in the "Edit" section of the CMS,
offered an upload functionality for documents. These documents could later be used
as displayed content on the page. It was possible to upload SVG files that include
malicious JavaScript code that would be executed if a user visited the direct URL
of the preview image. Attackers needed at least the role "WebEditor" in order to
exploit this issue.

3) Stored Cross-Site Scripting in Edit Preview (CVE-2025-27802)
RTE properties (text fields), which could be used in the "Edit" section of the CMS,
allowed the input of arbitrary text. It was possible to input malicious JavaScript
code in these properties that would be executed if a user visits the previewed
page. Attackers needed at least the role "WebEditor" in order to exploit this issue.


Proof of concept:
-----------------
1) Stored Cross-Site Scripting in Admin Dashboard (CVE-2025-27800)
After adding a newly created note on the dashboard, it could be edited by sending
the following request:

--------------------------------------------------------------------------------
POST /EPiServer/CMS/Notes/Save?preferredNamespace=EPiServer.Cms.Shell.UI.Controllers.Internal&gadgetId=$GADGETID HTTP/2
Host: $SERVER
Cookie: sessionId=[...]; .EPiServerLogin=[...]; .ASPXROLES=[...]; __RequestVerificationToken=[...]
Content-Type: application/x-www-form-urlencoded
Content-Length: 177

content=Test%3cbr%3e%3cimg%20src%3dx%20onerror%3dalert(window.location)%3e&__RequestVerificationToken=[...]
--------------------------------------------------------------------------------

Visiting the dashboard again, as seen in figure 1 below, showed that the
JavaScript code is executed:
[01_admin_dashboard.png]


2) Stored Cross-Site Scripting in Media Selection Preview (CVE-2025-27801)
The following SVG file containing a JavaScript alert could be uploaded as a document
in one of the ContentReference properties:

--------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
    <rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
    <script type="text/javascript">alert(window.origin);</script>
</svg>
--------------------------------------------------------------------------------

Visiting the preview URL, as seen in figure 2 below, showed that the JavaScript alert
was executed:
[02_svg_upload.png]


3) Stored Cross-Site Scripting in Edit Preview (CVE-2025-27802)
When adding HTML elements directly in the input field, they were encoded by the
frontend. The request, which was sent when editing the text, could be intercepted
and modified so that the encoding was reverted. The following request was then
sent to add a malicious JavaScript element that caused an alert when the element
was rendered:

--------------------------------------------------------------------------------
POST /EPiServer/cms/Stores/contentdata/$ID HTTP/2
Host: $SERVER
Cookie: .EPiServerLogin=[...];
Content-Length: 194
Content-Type: application/json
[...]

{"id":"$ID","properties":{"address":"\"[...]<script>alert(window.location)</script>[...]""},"action":$ACTIONID}
--------------------------------------------------------------------------------

After publishing the changes, the page preview could be visited by clicking on the
respective icon on the top right of the "Edit" section. Before the preview was
shown, the JavaScript alert was executed, as can be seen in figure 3 below:
[03_edit_preview.png]


Vulnerable / tested versions:
-----------------------------
The vendor confirmed that the following plugin versions are affected:
* Version 11.X: EPiServer.CMS.Core (<11.21.4) with EPiServer.CMS.UI (<11.37.5)
* Version 12.X: EPiServer.CMS.Core (<12.22.1) with EPiServer.CMS.UI (<11.37.3)


Vendor contact timeline:
------------------------
2024-05-23: Contacting vendor through securityeng@optimizely.com
2024-05-24: Vendor responds to submit our vulnerabilities at Bugcrowd
2024-05-27: Asking vendor if it is possible via email, no suitable category
            at Bugcrowd; no response.
2024-06-04: Asking vendor where to submit the advisory for the CMS;
            Vendor confirms that Bugcrowd should not be used and requested
            advisory unencrypted via email. Submitted advisory.
2024-06-06: Sending requested information to the vendor; Vendor responds they
            got everything they need to check the provided advisory.
2024-06-10: Vendor provides details for all vulnerabilities. According to the
            information, most XSS are present due to intentional design
            choices;
                  Asking for details regarding affected versions and a planned
            timeline to fix the vulnerabilities.
2024-06-12: Vendor provides information, that probably all versions are
            affected by the vulnerabilities, as it is a design choice;
            Stored XSS in Admin Dashboard and Media Selection Preview were only
                  kept as a backlog/research item;
            There was no planned ETA for any of the 3 vulnerabilities.
2024-06-18: Contacted vendor, explaining why the vulnerabilities should not
            be considered as "by design".
2024-06-25: Update from vendor, that the issues were going to be flagged for
            resolution. The findings were planned to be resolved within 3
            months.
2024-09-24: Asked for a status update.
2024-09-24: Vendor contact checked with product team internally.
2024-10-01: Asked for a status update.
2024-10-08: Vendor confirmed first XSS issue fixed in CMS 12. Team was working on
            remaining two issues, planned to be resolved by mid December.
2024-12-10: Asked for a status update.
2025-01-06: Vendor confirmed that the instances have been remediated and provides
            affected plugins and versions. Vendor asked to wait with publication
            until a scheduled retest had been performed later this month.
2025-02-05: Asked for a status update.
2025-02-24: Asked for a status update.
2025-03-07: Reserved CVE numbers, sending updated advisory to vendor, scheduled
            release for next week; Vendor was reviewing the advisory internally.
2025-03-14: Vendor asked to postpone publication until the end of Q2. Reason given
            is that some customers were still using CMS major version 11, while the
            patches were only developed for CMS major version 12.
2025-03-17: Asked vendor to clarify the updating process for customers.
2025-05-21: Asked for a status update.
2025-06-02: Vendor confirmed current timeline (end of Q2). There were different
            fixes for CMS version 11 and 12.
2025-07-01: Asked for a status update.
2025-07-03: Received fixed packages for CMS 11 and confirmation of packages for CMS 12.
2025-07-28: Coordinated release of advisory.



Solution:
---------
The vendor provided the following updates. These versions of EPiServer.CMS.Core
include a configuration to optionally filter for JavaScript code. Customers are
urged to install the latest version and adjust the configuration accordingly
in order to patch the security issues:
* Version 11.X: Update EPiServer.CMS.Core to version 11.21.4 or higher
                Update EPiServer.CMS.UI to version 11.37.5 or higher (dependency requirement)
* Version 12.X: Update EPiServer.CMS.Core to version 12.22.1 or higher
                Update EPiServer.CMS.UI to version 11.37.3 or higher (dependency requirement)


Workaround:
-----------
None


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
X: https://x.com/sec_consult

EOF Kai Zimmermann, Felix Beie / 2025