optimizely 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk cross-site scripting などに関し、一部は vendor impact session compromise を招き、vendor surface production workloads and vendor surface software deployment 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-22390 | An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS due to insufficient enforcement of password complexity requirements. The application permits users to set passwords with a minimum length of 6 characters, lacking adequate complexity to resist modern attack techniques such as password spraying or offline password cracking. | [email protected] | 7.5 | 0.33% | 2025-01-04 | 2025-05-20 |
| CVE-2025-22389 | An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS, where the application does not properly validate uploaded files. This allows the upload of potentially malicious file types, including .docm .html. When accessed by application users, these files can be used to execute malicious actions or compromise users' systems. | [email protected] | 8.0 | 0.47% | 2025-01-04 | 2025-05-20 |
| CVE-2025-22388 | An issue was discovered in Optimizely EPiServer.CMS.Core before 12.22.0. A high-severity Stored Cross-Site Scripting (XSS) vulnerability exists in the CMS, allowing malicious actors to inject and execute arbitrary JavaScript code, potentially compromising user data, escalating privileges, or executing unauthorized actions. The issue exists in multiple areas, including content editing, link management, and file uploads. | [email protected] | 5.7 | 0.31% | 2025-01-04 | 2025-05-20 |
| CVE-2025-22387 | An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity issue exists in requests for resources where the session token is submitted as a URL parameter. This exposes information about the authenticated session, which can be leveraged for session hijacking. | [email protected] | 7.5 | 0.38% | 2025-01-04 | 2025-05-21 |
| CVE-2025-22386 | An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity session issue exists in the Commerce B2B application, affecting the longevity of active sessions in the storefront. This allows session tokens tied to logged-out sessions to still be active and usable. | [email protected] | 7.3 | 0.27% | 2025-01-04 | 2025-05-20 |
| CVE-2025-22385 | An issue was discovered in Optimizely Configured Commerce before 5.2.2408. For newly created accounts, the Commerce B2B application does not require email confirmation. This medium-severity issue allows the mass creation of accounts. This could affect database storage; also, non-requested storefront accounts can be created on behalf of visitors. | [email protected] | 5.9 | 0.30% | 2025-01-04 | 2025-05-20 |
| CVE-2025-22384 | An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity issue concerning business logic exists in the Commerce B2B application, which allows storefront visitors to purchase discontinued products in specific scenarios where requests are altered before reaching the server. | [email protected] | 7.5 | 0.37% | 2025-01-04 | 2025-05-20 |
| CVE-2025-22383 | An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity input validation issue exists in the Commerce B2B application, affecting the Contact Us functionality. This allows visitors to send e-mail messages that could contain unfiltered HTML markup in specific scenarios. | [email protected] | 4.6 | 0.21% | 2025-01-04 | 2025-05-20 |
| CVE-2024-56175 | In Optimizely Configured Commerce before 5.2.2408, malicious payloads can be stored and subsequently executed in users' browsers under specific conditions: XSS from client-side template injection in list item names. | [email protected] | 6.1 | 0.22% | 2024-12-18 | 2025-06-05 |
| CVE-2024-56174 | In Optimizely Configured Commerce before 5.2.2408, malicious payloads can be stored and subsequently executed in users' browsers under specific conditions: XSS from client-side template injection in search history. | [email protected] | 8.1 | 0.36% | 2024-12-18 | 2025-06-05 |
| CVE-2024-56173 | In Optimizely Configured Commerce before 5.2.2408, malicious payloads can be stored and subsequently executed in users' browsers under specific conditions: XSS from JavaScript in an SVG document. | [email protected] | 4.7 | 0.26% | 2024-12-18 | 2025-06-05 |
| CVE-2023-31754 | Optimizely CMS UI before v12.16.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Admin panel. | [email protected] | 4.8 | 0.42% | 2023-11-14 | 2024-11-21 |