Stack-Based Buffer Overflow in Kentico Web Content Management System
CVE-2018-5282

7.8HIGH

Key Information:

Vendor: Kentico
Status: Kentico Cms
Vendor: CVE Published:; 8 January 2018

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2018-5282?

Kentico Web Content Management System versions 9.0 to 11.0 are vulnerable to a stack-based buffer overflow due to improper handling of input from the SqlName, SqlPswd, Database, UserName, or Password fields in a SilentInstall XML document. This flaw may allow an attacker to exploit the system, potentially leading to unauthorized access or other malicious actions. However, the vendor has contested the issue, stating that they could not reproduce a buffer overflow or system crash, emphasizing that XML document processing occurs entirely within the managed code of the Microsoft .NET Framework.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2018-5282 - Proof of Concept

References

https://www.vulnerability-lab.com/get_content.php?id=1943

x_refsource_MISC

https://www.exploit-db.com/exploits/43547/

exploitx_refsource_EXPLOIT-DB

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jan 8, 2018
👾
Exploit known to exist
Jan 8, 2018
Vulnerability published
Jan 8, 2018
Vulnerability Reserved
Jan 8, 2018

CVE-2018-5282 Data

JSON