CVE-2025-27801 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability affecting the Optimizely Episerver Content Management System (CMS) versions 11.x and 12.x. The vulnerability arises from improper neutralization of input during web page generation (CWE-79). Specifically, the issue is linked to the ContentReference properties within the CMS's "Edit" section, which allow authenticated users with at least the "WebEditor" role to upload documents, including SVG files. SVG files can contain embedded JavaScript code, and due to insufficient sanitization or validation, malicious scripts embedded in these SVG files are executed when a user accesses the direct URL of the preview image. This stored XSS flaw enables an attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability affects EPiServer.CMS.Core versions prior to 11.21.4 and 12.22.1, and EPiServer.CMS.UI versions prior to 11.37.5 and 11.37.3 respectively. Exploitation requires authenticated access with elevated privileges (WebEditor role), and user interaction is necessary to trigger the malicious payload by visiting the preview image URL. No known exploits are currently reported in the wild, and no official patches are linked in the provided data, though updates to the specified versions likely address the issue. The CVSS v4.0 score of 4.6 reflects a medium severity, considering network attack vector, low complexity, required privileges, and user interaction.

For European organizations using the Optimizely Episerver CMS, this vulnerability poses a risk primarily to internal users and content editors who have the WebEditor role or higher. Successful exploitation could lead to unauthorized script execution in the browsers of users who preview uploaded SVG content, potentially compromising session tokens, enabling phishing attacks, or facilitating lateral movement within the CMS environment. This could result in unauthorized content manipulation, data leakage, or reputational damage. Given the CMS's role in managing web content, exploitation could also lead to defacement or distribution of malicious content to end-users. The impact is particularly relevant for organizations with complex content workflows and multiple editors, such as media companies, government agencies, and large enterprises prevalent in Europe. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with weak access controls or insider threats. Additionally, the vulnerability could be leveraged as part of a broader attack chain targeting European organizations relying on this CMS for public-facing or internal websites.

1. Immediate upgrade to the fixed versions of EPiServer.CMS.Core (>=11.21.4 for 11.x and >=12.22.1 for 12.x) and EPiServer.CMS.UI (>=11.37.5 for 11.x and >=11.37.3 for 12.x) once available from Optimizely. 2. Implement strict input validation and sanitization on uploaded SVG files, including disabling or filtering out embedded scripts within SVG content at the application or proxy level. 3. Restrict the WebEditor role assignment to trusted personnel only and review role-based access controls regularly to minimize the number of users who can upload content. 4. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and restrict sources of executable scripts on CMS-managed pages. 5. Monitor CMS logs and user activities for unusual upload patterns or access to preview URLs that could indicate exploitation attempts. 6. Educate content editors about the risks of uploading untrusted SVG files and encourage the use of sanitized image formats. 7. If immediate patching is not feasible, consider disabling SVG uploads or preview functionality temporarily to reduce exposure.