CVE-2025-22388

An issue was discovered in Optimizely EPiServer.CMS.Core before 12.22.0. A high-severity Stored Cross-Site Scripting (XSS) vulnerability exists in the CMS, allowing malicious actors to inject and execute arbitrary JavaScript code, potentially compromising user data, escalating privileges, or executing unauthorized actions. The issue exists in multiple areas, including content editing, link management, and file uploads.

CVSS v3 5.7 MEDIUM

5.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://support.optimizely.com/hc/en-us/articles/33182047260557-Content-Management-System-CMS-Security-Advisory-CMS-2025-01	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:optimizely:optimizely_cms:*:*:*:*:*:*:*:*

History

20 May 2025, 20:11

Type	Values Removed	Values Added
Summary		(es) Se descubrió un problema en Optimizely EPiServer.CMS.Core antes de la versión 12.22.0. Existe una vulnerabilidad de cross site scripting almacenado (XSS) de alta gravedad en el CMS, que permite a los actores maliciosos inyectar y ejecutar código JavaScript arbitrario, lo que podría comprometer los datos del usuario, aumentar los privilegios o ejecutar acciones no autorizadas. El problema existe en varias áreas, incluida la edición de contenido, la administración de enlaces y la carga de archivos.
References	~~() https://support.optimizely.com/hc/en-us/articles/33182047260557-Content-Management-System-CMS-Security-Advisory-CMS-2025-01 -~~	() https://support.optimizely.com/hc/en-us/articles/33182047260557-Content-Management-System-CMS-Security-Advisory-CMS-2025-01 - Vendor Advisory
CPE		cpe:2.3:a:optimizely:optimizely_cms::::::::
First Time		Optimizely optimizely Cms Optimizely

06 Jan 2025, 15:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.7

04 Jan 2025, 03:15

Type	Values Removed	Values Added
CWE		CWE-79

04 Jan 2025, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-04 02:15

Updated : 2025-05-20 20:11

NVD link : CVE-2025-22388

Mitre link : CVE-2025-22388

CVE.ORG link : CVE-2025-22388

JSON object : View

Products Affected

optimizely

optimizely_cms

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-22388", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.1}]}, "published": "2025-01-04T02:15:07.480", "references": [{"url": "https://support.optimizely.com/hc/en-us/articles/33182047260557-Content-Management-System-CMS-Security-Advisory-CMS-2025-01", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve@mitre.org", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Optimizely EPiServer.CMS.Core before 12.22.0. A high-severity Stored Cross-Site Scripting (XSS) vulnerability exists in the CMS, allowing malicious actors to inject and execute arbitrary JavaScript code, potentially compromising user data, escalating privileges, or executing unauthorized actions. The issue exists in multiple areas, including content editing, link management, and file uploads."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Optimizely EPiServer.CMS.Core antes de la versi\u00f3n 12.22.0. Existe una vulnerabilidad de cross site scripting almacenado (XSS) de alta gravedad en el CMS, que permite a los actores maliciosos inyectar y ejecutar c\u00f3digo JavaScript arbitrario, lo que podr\u00eda comprometer los datos del usuario, aumentar los privilegios o ejecutar acciones no autorizadas. El problema existe en varias \u00e1reas, incluida la edici\u00f3n de contenido, la administraci\u00f3n de enlaces y la carga de archivos."}], "lastModified": "2025-05-20T20:11:04.087", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:optimizely:optimizely_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ABD61602-AD14-4F20-901C-A10FB00BA3BF", "versionEndExcluding": "12.22.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}

5.7 /10