{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-10T17:11:19.582","vulnerabilities":[{"cve":{"id":"CVE-2025-27800","sourceIdentifier":"551230f0-3615-47bd-b7cc-93e92e730bbf","published":"2025-07-28T09:15:34.387","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser.\n\n\n\nThe Admin dashboard offered the functionality to add gadgets to the dashboard.\nThis included the \"Notes\" gadget. An authenticated attacker with the corresponding\naccess rights (such as \"WebAdmin\") that was impersonating the victim could insert\nmalicious JavaScript code in these notes that would be executed if the victim\nvisited the dashboard.\n\nAffected products: Version 11.X: EPiServer.CMS.Core (<11.21.4) with EPiServer.CMS.UI (<11.37.5), Version 12.X: EPiServer.CMS.Core (<12.22.1) with EPiServer.CMS.UI (<11.37.3)"},{"lang":"es","value":"Episerver Content Management System (CMS) by Optimizely se vio afectado por múltiples vulnerabilidades de Cross-Site Scripting (XSS) almacenado. Esto permitió que un atacante autenticado ejecutara código JavaScript malicioso en el navegador de la víctima. El panel de administración permitía añadir gadgets, incluido el gadget \"Notes\". Un atacante autenticado con los permisos de acceso correspondientes (como \"WebAdmin\") que se hiciera pasar por la víctima podía insertar código JavaScript malicioso en estas notas, que se ejecutaría si la víctima visitaba el panel. Productos afectados: Versión 11.X: EPiServer.CMS.Core (&lt;11.21.4) con EPiServer.CMS.UI (&lt;11.37.5), Versión 12.X: EPiServer.CMS.Core (&lt;12.22.1) con EPiServer.CMS.UI (&lt;11.37.3)."}],"metrics":{"cvssMetricV40":[{"source":"551230f0-3615-47bd-b7cc-93e92e730bbf","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"551230f0-3615-47bd-b7cc-93e92e730bbf","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.7,"impactScore":2.7}]},"weaknesses":[{"source":"551230f0-3615-47bd-b7cc-93e92e730bbf","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://api.nuget.optimizely.com/packages/episerver.cms.core/11.21.4#","source":"551230f0-3615-47bd-b7cc-93e92e730bbf"},{"url":"https://api.nuget.optimizely.com/packages/episerver.cms.core/12.22.1#","source":"551230f0-3615-47bd-b7cc-93e92e730bbf"},{"url":"https://r.sec-consult.com/optimizely","source":"551230f0-3615-47bd-b7cc-93e92e730bbf"},{"url":"http://seclists.org/fulldisclosure/2025/Aug/18","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}