CVE-2025-22389
Published: 04 January 2025
Description
An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS, where the application does not properly validate uploaded files. This allows the upload of potentially malicious file types, including .docm .html. When accessed by application users, these files can be used to execute malicious actions or compromise users' systems.
Security Summary
CVE-2025-22389 is a file upload validation vulnerability in Optimizely EPiServer.CMS.Core versions prior to 12.32.0. The CMS fails to properly validate uploaded files, permitting the upload of potentially malicious file types such as .docm and .html. This issue, linked to CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and was published on 2025-01-04.
The vulnerability can be exploited by an authenticated attacker with low privileges (PR:L) who has access to upload functionality. Exploitation occurs over the network (AV:N) with low complexity (AC:L) but requires user interaction (UI:R) from a victim accessing the uploaded file. This enables execution of malicious actions, potentially compromising the victim's system with high impacts on confidentiality, integrity, and availability.
Mitigation guidance and patch details are provided in the official Optimizely Content Management System (CMS) Security Advisory CMS-2025-03, available at https://support.optimizely.com/hc/en-us/articles/33182404079629-Content-Management-System-CMS-Security-Advisory-CMS-2025-03.
Details
- CWE(s)