Content Management System (CMS) Security Advisory - CMS-2025-01

  • Updated

Brief Description:

A high-severity Stored Cross-Site Scripting (XSS) vulnerability was identified in the CMS. The vulnerability allows malicious actors to inject and execute arbitrary JavaScript code in the application, potentially compromising user data, escalating privileges, or executing unauthorized actions. The issue exists in multiple areas of the application, including content editing, link management, and file uploads. 

 

Affected Versions: 

EPiServer.CMS.Core versions prior to 12.22.0. 

 

Solutions and Mitigations:

Upgrade to EPiServer.CMS.Core version 12.22.0, which includes patches for all identified instances of Stored XSS. 

 

For Users that Cannot Upgrade: 

Users unable to upgrade to the fixed version should apply the following mitigations: 

  • Restrict Content Editing Permissions: Limit access to content editing features to trusted users only. 

  • Sanitize Input Data: Implement input validation and sanitization for user-provided content, particularly in content data fields, URL inputs, and file uploads. 

  • Disable Dangerous File Types: Restrict the types of files that can be uploaded, blocking potentially malicious file formats such as HTML or SVG. 

  • Use a Web Application Firewall (WAF): Deploy a WAF to filter and block malicious payloads in real-time. 

 

Severity: 

High  

 

CVSS Score:

8.1 

 

CVE ID:

CVE-2025-22388

 

Date Published:

January 3, 2025