CVE-2024-12907

Vulnerability

Overview

CVE-2024-12907 is a reflected cross-site scripting (XSS) vulnerability found in Kentico CMS version 7. The flaw resides in the improper neutralization of a specific GET request parameter sent to the /CMSMessages/AccessDenied.aspx endpoint, allowing an attacker to inject arbitrary JavaScript code into the response page [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL that includes the manipulated GET parameter and luring a victim to click it. No prior authentication is required, and the attack can be performed remotely as long as the victim can access the Kentico CMS instance. Version 8 of the product was tested and confirmed not to contain this vulnerability [1].

Impact

If successfully exploited, the attacker can execute arbitrary JavaScript in the context of the victim's session. This could lead to data theft (including session cookies), defacement, or redirection to malicious sites. The severity is considered Medium.

Mitigation

Kentico CMS version 7 reached end of life in 2016 and no longer receives security updates. The vendor recommends upgrading to a supported version. Currently, no patch is available for version 7; the only remediation is to migrate to a newer release, such as version 8 or later [1].