Unauthenticated File Upload and File Exposure in Kentico CMS by Kentico
CVE-2019-12102

9.1CRITICAL

Key Information:

Vendor

Kentico

Status
Kentico
Vendor
CVE Published:
22 May 2019

What is CVE-2019-12102?

The Kentico CMS versions 11 and 12 allow unauthorized users to upload and view files through an insecure media library feature. The vulnerability exists in the 'insertimageormedia' functionality, where attackers can exploit inadequate media library permissions, leading to unauthorized access to sensitive files. Though the vendor claims that this occurs only if media library permissions are misconfigured, it highlights the need for administrators to be vigilant in setting permissions to safeguard against potential exploitation.

References

https://docs.kentico.com/k12/release-notes-kentico-12
x_refsource_MISC
https://devnet.kentico.com/download/hotfixes
x_refsource_MISC
https://github.com/Gr4y21/My-CVE-IDs/blob/master/Kentico%...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.