Optimizely Episerver CMS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Optimizely Episerver Content Management System (CMS) versions 11.X prior to 11.21.4 with EPiServer.CMS.UI through 11.37.5, and in version 12.X prior to 12.22.1 with EPiServer.CMS.UI through 11.37.3. This vulnerability allows authenticated attackers with at least the 'WebEditor' role to inject malicious JavaScript into rich text editor properties. The injected script would execute in the context of the victim's browser when the previewed page is viewed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected content.

Reproduction

To reproduce this vulnerability, an authenticated user with 'WebEditor' role can inject JavaScript into 'XhtmlString' properties or uploaded files within the CMS editor. If the 'Keep' option is selected for files containing scripts, or if JavaScript is allowed in 'XhtmlString' properties, the injected script will be executed when the previewed page is viewed.

Remediation

Users can update to Optimizely Episerver CMS versions 11.21.4 or 12.22.1 to address this vulnerability.