CVE-2025-27800 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability affecting the Optimizely Episerver Content Management System (CMS) versions 11.x and 12.x prior to specific patch levels (EPiServer.CMS.Core <11.21.4 and <12.22.1, EPiServer.CMS.UI <11.37.5 and <11.37.3 respectively). The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically within the Admin dashboard's gadget functionality. The 'Notes' gadget allows authenticated users with elevated privileges (such as those with 'WebAdmin' rights) to insert arbitrary JavaScript code. If an attacker with these rights impersonates a victim, they can embed malicious scripts into the notes. When the victim subsequently accesses the dashboard, the malicious JavaScript executes in their browser context. This can lead to session hijacking, unauthorized actions, or data theft within the CMS environment. The CVSS 4.0 vector indicates that the attack requires no network access (AV:N), low attack complexity (AC:L), no privileges required (PR:H - high privileges required), user interaction (UI:P), and no impact on confidentiality, integrity, or availability, but with limited scope and security impact. No known exploits are currently reported in the wild. The vulnerability is significant because it targets administrative users who have broad control over the CMS, potentially enabling attackers to escalate privileges or pivot within the network. Given the CMS's role in managing website content, exploitation could also lead to defacement or distribution of malicious content to end users.

For European organizations using Optimizely Episerver CMS, this vulnerability poses a risk primarily to internal administrative users. Successful exploitation could allow attackers to execute malicious scripts in the context of admin sessions, potentially leading to unauthorized access to sensitive content, manipulation of website data, or further compromise of internal systems. This is particularly impactful for organizations relying heavily on Episerver CMS for public-facing websites or intranet portals, as it could result in reputational damage, data leakage, or compliance violations under GDPR if personal data is exposed. The requirement for authenticated access with elevated privileges limits the attack surface but does not eliminate risk, especially in environments with weak internal access controls or where credential compromise is possible. Additionally, the vulnerability could be leveraged in targeted attacks against high-value European entities such as government agencies, financial institutions, or large enterprises that utilize Episerver CMS, amplifying the potential impact.

1. Immediate patching: Organizations should upgrade to the fixed versions of EPiServer.CMS.Core (≥11.21.4 for 11.x, ≥12.22.1 for 12.x) and EPiServer.CMS.UI (≥11.37.5 for 11.x, ≥11.37.3 for 12.x) as soon as patches become available. 2. Restrict administrative access: Limit 'WebAdmin' and equivalent high-privilege roles strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 3. Input validation and output encoding: Review and harden input sanitization processes for all user-generated content within the CMS, especially gadgets and notes functionality, to prevent injection of malicious scripts. 4. Monitor dashboard activity: Implement logging and monitoring of dashboard gadget usage and note modifications to detect suspicious behavior indicative of exploitation attempts. 5. Conduct regular security audits and penetration testing focused on CMS administrative interfaces to identify and remediate similar vulnerabilities proactively. 6. Educate administrators about phishing and credential security to reduce risk of privilege escalation via compromised accounts.