We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-12907

XSS in Kentico 7



Description

Kentico CMS in version 7 is vulnerable to a Reflected XSS attacks through manipulation of a specific GET request parameter sent to /CMSMessages/AccessDenied.aspx endpoint. Notably, support for this version of Kentico ended in 2016. Version 8 was tested as well and does not contain this vulnerability.

Reserved 2024-12-23 | Published 2025-01-02 | Updated 2025-01-02 | Assigner CERT-PL


MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status
unaffected

7
affected

Credits

Michał Majchrowicz (Afine Team) finder

Marcin Wyczechowski (Afine Team) finder

References

cert.pl/en/posts/2025/01/CVE-2024-12907

cve.org (CVE-2024-12907)

nvd.nist.gov (CVE-2024-12907)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-12907

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.