CVE-2025-27800 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Optimizely Episerver Content Management System (CMS), specifically affecting versions 11.x and 12.x prior to 11.21.4 and 12.22.1 respectively. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), particularly in the Admin dashboard's gadget functionality, such as the 'Notes' gadget. An attacker with authenticated access and sufficient privileges (e.g., WebAdmin role) can insert malicious JavaScript code into these notes. When a victim with access rights views the dashboard, the injected script executes in their browser context. This can lead to various malicious outcomes including session hijacking, unauthorized actions on behalf of the victim, or data exfiltration. The attack vector requires both authentication and user interaction, limiting its scope but still posing a significant risk in environments where multiple administrators or privileged users access the dashboard. The vulnerability does not affect confidentiality, integrity, or availability directly but compromises user session security and trustworthiness of the CMS interface. No public exploits are currently known, but the presence of this vulnerability in widely used CMS versions necessitates urgent attention. The CVSS 4.0 base score is 4.8 (medium), reflecting the need for privileges and user interaction but ease of exploitation once those conditions are met. The vulnerability was published on July 28, 2025, and is tracked under CWE-79.

For European organizations, this vulnerability poses a risk primarily to the integrity and confidentiality of administrative sessions within the Optimizely Episerver CMS environment. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of privileged users, potentially leading to session hijacking, unauthorized administrative actions, or theft of sensitive information. This could disrupt content management workflows, lead to defacement or manipulation of published content, and damage organizational reputation. Organizations in sectors such as government, finance, healthcare, and media that rely on Episerver CMS for critical web presence or internal portals are particularly vulnerable. The requirement for authenticated access and user interaction reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks, especially insider threats or compromised credentials. The impact on availability is minimal, but the breach of trust and potential data leakage can have significant operational and compliance consequences under regulations like GDPR.

1. Apply official patches from Optimizely as soon as they become available for EPiServer.CMS.Core and EPiServer.CMS.UI components to remediate the vulnerability. 2. Restrict WebAdmin and other high-privilege roles to the minimum necessary personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 3. Monitor and audit dashboard gadget usage, especially the Notes gadget, for unusual or unauthorized content changes. 4. Implement Content Security Policy (CSP) headers to limit the impact of injected scripts if exploitation occurs. 5. Educate administrators about the risks of clicking on dashboard elements and encourage cautious behavior. 6. Consider isolating or disabling non-essential dashboard gadgets until patches are applied. 7. Regularly review and update user permissions to ensure least privilege principles are enforced. 8. Conduct penetration testing and vulnerability scanning focused on CMS administrative interfaces to detect similar issues proactively.