Reflected XSS Vulnerability in Kentico CMS Version 7
CVE-2024-12907

5.3MEDIUM

Key Information:

Vendor: Kentico
Status: Kentico Cms
Vendor: CVE Published:; 2 January 2025

Summary

Kentico CMS version 7 is susceptible to reflected cross-site scripting (XSS) attacks, which can be exploited through the manipulation of a specific GET request parameter. This vulnerability occurs when users interact with the /CMSMessages/AccessDenied.aspx endpoint. It is important to note that support for this version ended in 2016, and users are strongly advised to upgrade to later versions that do not exhibit this vulnerability.

Affected Version(s)

Kentico CMS 7

References

https://cert.pl/en/posts/2025/01/CVE-2024-12907

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Jan 2, 2025
Vulnerability Reserved
Dec 23, 2024

Credit

Michał Majchrowicz (Afine Team)

Marcin Wyczechowski (Afine Team)