CVE-2025-27802 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Optimizely Episerver Content Management System (CMS) versions 11.x and 12.x prior to specific patch versions (EPiServer.CMS.Core <11.21.4 and <12.22.1, EPiServer.CMS.UI <11.37.5 and <11.37.3 respectively). The vulnerability arises from improper neutralization of input during web page generation, specifically in Rich Text Editor (RTE) properties used in the CMS's "Edit" section. Authenticated users with at least the "WebEditor" role can input arbitrary text into these RTE fields, including malicious JavaScript code. When other users preview the affected pages, the malicious script executes in their browsers, potentially leading to session hijacking, credential theft, or other client-side attacks. The vulnerability requires no user interaction beyond visiting the previewed page but does require the attacker to have elevated privileges (WebEditor role) within the CMS. The CVSS 4.0 base score is 4.8 (medium severity), reflecting network attack vector, low attack complexity, no privileges required for attack initiation beyond WebEditor role, and partial impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. This vulnerability is classified under CWE-79, indicating improper input neutralization leading to XSS. The issue affects widely used versions of Episerver CMS, a popular enterprise content management platform, making it a relevant concern for organizations relying on this software for web content management.

For European organizations using Optimizely Episerver CMS, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of user sessions and data. An attacker with WebEditor privileges could inject malicious scripts that execute in the browsers of other CMS users or site visitors during page previews, potentially leading to theft of authentication tokens, unauthorized actions, or distribution of malware. This could result in unauthorized access to sensitive content, defacement, or reputational damage. Since the vulnerability requires authenticated access with elevated roles, the risk is somewhat mitigated by internal access controls; however, insider threats or compromised WebEditor accounts could exploit this flaw. The impact is particularly significant for organizations with complex content workflows involving multiple editors and reviewers, as well as those with high-value or sensitive web content. Additionally, the vulnerability could be leveraged as a foothold for further attacks within the organization's network if exploited successfully. Given the widespread use of Episerver CMS in sectors such as government, finance, and media across Europe, the potential for targeted attacks exploiting this vulnerability exists, especially where web content integrity and user trust are critical.

1. Immediate patching: Organizations should prioritize upgrading Episerver CMS to the fixed versions (EPiServer.CMS.Core 11.21.4 or later for 11.x, and 12.22.1 or later for 12.x, along with corresponding UI versions) as soon as patches become available. 2. Role auditing and minimization: Review and restrict the assignment of the WebEditor role to only trusted personnel to reduce the attack surface. 3. Input validation and sanitization: Implement additional server-side input validation and output encoding for RTE fields to prevent malicious script injection, even if patches are delayed. 4. Monitoring and logging: Enable detailed logging of CMS edits and preview actions to detect suspicious input patterns or anomalous behavior indicative of exploitation attempts. 5. User awareness and training: Educate CMS users, especially those with elevated roles, about the risks of injecting untrusted content and the importance of secure editing practices. 6. Web Application Firewall (WAF): Deploy or update WAF rules to detect and block common XSS payloads targeting the CMS preview functionality. 7. Segmentation and access controls: Limit network access to the CMS backend and preview features to trusted networks and users to reduce exposure. These measures combined will reduce the likelihood and impact of exploitation.