Full Report
XSS (Cross-site Scripting) vulnerability has been found in Kentico CMS software (CVE-2024-12907).
Analysis Summary
# Vulnerability: XSS in Kentico CMS Version 7
## CVE Details
- CVE ID: CVE-2024-12907
- CVSS Score: *Score not explicitly provided in the text, but it is an XSS vulnerability.* (Severity estimated [Medium/High] based on impact type)
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'))
## Affected Systems
- Products: Kentico CMS
- Versions: Version 7
- Configurations: Targetting the `/CMSMessages/AccessDenied.aspx` endpoint via specific GET request parameters.
## Vulnerability Description
The vulnerability is a Cross-site Scripting (XSS) flaw residing in Kentico CMS version 7. An attacker can exploit this by manipulating a specific parameter within a GET request sent to the `/CMSMessages/AccessDenied.aspx` endpoint, leading to Reflected XSS execution.
## Exploitation
- Status: Information regarding exploitation in the wild is not provided. (Assume PoC likely exists due to successful disclosure)
- Complexity: Assumed **Medium** based on specific endpoint and parameter targeting.
- Attack Vector: **Network** (Reflected XSS executed via web requests).
## Impact
- Confidentiality: Potential compromise of user session data or sensitive information displayed on subsequent pages.
- Integrity: Potential for unauthorized actions on behalf of the victim user within the application context.
- Availability: Low direct impact, though script execution could lead to denial of service for the user session.
## Remediation
### Patches
- Since this is an older version (support ended in 2016), no direct patch for version 7 is implied or mentioned. The vendor recommends immediate upgrade.
- **Recommended Action:** Upgrade to a supported, modern version of Kentico CMS (Kentico 8 or newer versions were tested and found not vulnerable at that specific point).
### Workarounds
- Implement strong input validation and output encoding on all user-controllable parameters destined for the `/CMSMessages/AccessDenied.aspx` page.
- Restrict access to the `/CMSMessages/AccessDenied.aspx` endpoint where possible until an upgrade can be performed.
## Detection
- Indicators of Compromise (IoC): Web server access logs showing suspicious or non-standard payloads (e.g., `<script>...</script>`, `javascript:alert(...)`) within GET requests targeting `/CMSMessages/AccessDenied.aspx`.
- Detection methods and tools: Web Application Firewalls (WAFs) configured to detect XSS signatures targeting this specific URI path and parameter set. Reviewing application logs for abnormal URI query strings.
## References
- Vendor advisories: Implicitly via reporting coordination (Kentico).
- Relevant links - defanged:
- hxxps://cert.pl/en/cve (For advisories)
- hxxps://www.cve.org/CVERecord?id=CVE-2024-12907