CVE-2025-27800

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://api.nuget.optimizely.com/packages/episerver.cms.core/11.21.4#", "name": "https://api.nuget.optimizely.com/packages/episerver.cms.core/11.21.4#", "tags": [], "refsource": ""}, {"url": "https://api.nuget.optimizely.com/packages/episerver.cms.core/12.22.1#", "name": "https://api.nuget.optimizely.com/packages/episerver.cms.core/12.22.1#", "tags": [], "refsource": ""}, {"url": "https://r.sec-consult.com/optimizely", "name": "https://r.sec-consult.com/optimizely", "tags": [], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser.\n\n\n\nThe Admin dashboard offered the functionality to add gadgets to the dashboard.\nThis included the \"Notes\" gadget. An authenticated attacker with the corresponding\naccess rights (such as \"WebAdmin\") that was impersonating the victim could insert\nmalicious JavaScript code in these notes that would be executed if the victim\nvisited the dashboard.\n\nAffected products: Version 11.X: EPiServer.CMS.Core (<11.21.4) with EPiServer.CMS.UI (<11.37.5), Version 12.X: EPiServer.CMS.Core (<12.22.1) with EPiServer.CMS.UI (<11.37.3)"}]}, "problemtype": {"problemtype_data": [{"description": []}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2025-27800", "ASSIGNER": "security-research@sec-consult.com"}}, "impact": {}, "publishedDate": "2025-07-28T09:15Z", "configurations": {"nodes": [], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-07-29T10:15Z"}