CVE-2025-2878

Vulnerability

Overview CVE-2025-2878 describes a cross-site scripting (XSS) vulnerability in Kentico CMS versions through 13.0.178. The flaw resides in the /CMSInstall/install.aspx page, specifically within the Additional Database Installation Wizard, where the new database parameter is not properly sanitized. This improper input handling allows an attacker to inject arbitrary web script or HTML into the application's response.

Attack

Vector and Exploitation The vulnerability can be exploited remotely, though the attack complexity is high and only low-privileged users are needed for successful exploitation. By sending a crafted request to the vulnerable page with a malicious payload in the new database parameter, an attacker can cause the script to execute in the context of an administrator or other user who visits the affected page. No authentication bypass is required, but the attacker must have some level of access to the Kentico CMS administrative interface.

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the browser of a victim who accesses the compromised page. This could lead to data theft, session hijacking, or manipulation of the administrative interface. Given the low CVSS score of 2.4, the impact is limited, but it still represents a security risk for organizations using the affected version.

Mitigation

The vendor has addressed this issue in hotfix version 13.0.179. Users are strongly advised to upgrade to the latest hotfix, as recommended in the official Kentico devnet hotfix page [1]. No workaround is documented; upgrading is the recommended course of action.