XSS vulnerability in CMS 11 and 12
A potential security vulnerability was detected for Optimizely CMS that could affect CMS 11 installations before v11.37.1 and CMS 12 installations before v12.16.0.
In CMS 11, when the request validation has been either completely or partially disabled by configuring requestValidationMode in the applications web.config file, harmful requests are allowed to reach the application.
Overall, the risk of the vulnerability is low-medium. The attack is possible for only authenticated users and requires user interaction to execute. The issue was fixed in CMS v11.37.1 (CMS-28190) and CMS v12.16.0 (CMS-26236). Mitigation is in place for all DXP service customers.
- If using CMS 11, please update Optimizely CMS to the latest version.
- If using CMS 12, please update to the latest version.
- As a general best practice, it is recommended to restrict the number of users with admin privileges.
Please contact the security engineering team at firstname.lastname@example.org.
Low – little to no potential impact on Optimizely or customer environments/data. Vulnerability has low exploitability, for example: requirement for local or physical system access, zero reachability to/executability within Optimizely products/code.
Medium – some potential impact on Optimizely or customer environments/data. Vulnerability has medium exploitability, for example: requirement to be located on the same local network as the target, requirement for an individual to be manipulated via social engineering, requirement for user privileges, vulnerability achieves limited access to Optimizely products/code.
High – high potential impact on Optimizely or customer environments/data. Vulnerability has high exploitability, for example: achieves high level access to Optimizely products/code, could elevate privileges, could result in a significant data loss or downtime.
Critical – very significant potential impact on Optimizely or customer environments/data. Vulnerability has very high exploitability, for example: achieves admin/root-level access to Optimizely products/code. Vulnerability does not require any special authentication credentials/knowledge of Optimizely products/environments.