Xperience
by Kentico
CVEs (36)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-2749 | Hig | 0.59 | 7.2 | 0.04 | KEV | Mar 24, 2025 | An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to… | |
| CVE-2025-2747 | 0.19 | — | 0.92 | KEV | Mar 24, 2025 | An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server defined None type. Authentication bypass allows an attacker to control administrative objects.This issue affects… | ||
| CVE-2025-2746 | 0.19 | — | 0.58 | KEV | Mar 24, 2025 | An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames in digest authentication. Authentication bypass allows an attacker to control administrative objects.This issue affects… | ||
| CVE-2025-32370 | 0.03 | — | 0.01 | Apr 6, 2025 | Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed through TryZipProviderSafe, there is additional functionality to create files with other extensions. NOTE: this is a… | |||
| CVE-2025-5591 | 0.00 | — | 0.00 | Jan 5, 2026 | Kentico Xperience 13 is vulnerable to a stored cross-site scripting attack via a form component, allowing an attacker to hijack a victim user’s session and perform actions in their security context. | |||
| CVE-2024-58323 | 0.00 | — | 0.00 | Dec 18, 2025 | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Checkbox form component. This allows malicious scripts to execute in users' browsers by exploiting HTML support in the form builder. | |||
| CVE-2024-58322 | 0.00 | — | 0.00 | Dec 18, 2025 | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious code into shipping options configuration. This could lead to potential theft of sensitive data by executing malicious scripts in users' browsers. | |||
| CVE-2024-58321 | 0.00 | — | 0.00 | Dec 18, 2025 | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form validation rule configuration. Attackers can exploit this vulnerability to execute malicious scripts that will run in users' browsers. | |||
| CVE-2024-58320 | 0.00 | — | 0.00 | Dec 18, 2025 | An information disclosure vulnerability in Kentico Xperience allows public users to access sensitive administration interface hostname details during authentication. Attackers can retrieve confidential hostname configuration information through a public endpoint, potentially… | |||
| CVE-2024-58319 | 0.00 | — | 0.00 | Dec 18, 2025 | A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Pages dashboard widget configuration dialog. Attackers can exploit this vulnerability to execute malicious scripts in administrative users' browsers. | |||
| CVE-2024-58318 | 0.00 | — | 0.00 | Dec 18, 2025 | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the rich text editor component for page and form builders. Attackers can exploit this vulnerability by entering malicious URIs, potentially allowing malicious… | |||
| CVE-2024-58317 | 0.00 | — | 0.00 | Dec 18, 2025 | A cookie security configuration vulnerability in Kentico Xperience allows attackers to bypass SSL requirements when setting administration cookies via web.config. The vulnerability affects .NET Framework projects by incorrectly handling the 'requireSSL' attribute, potentially… | |||
| CVE-2023-53934 | 0.00 | — | 0.00 | Dec 18, 2025 | A denial of service vulnerability in Kentico Xperience allows attackers to launch DoS attacks via specially crafted requests to the GetResource handler. Improper input validation enables remote attackers to potentially disrupt service availability through maliciously constructed… | |||
| CVE-2023-53738 | 0.00 | — | 0.00 | Dec 18, 2025 | A reflected cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts via page preview URLs. Attackers can exploit this vulnerability to execute arbitrary scripts in users' browsers during page preview interactions. | |||
| CVE-2023-53737 | 0.00 | — | 0.00 | Dec 18, 2025 | A stored cross-site scripting vulnerability in Kentico Xperience allows global administrators to inject malicious payloads via the Localization application. Attackers can execute scripts that could affect multiple parts of the administration interface. | |||
| CVE-2023-53736 | 0.00 | — | 0.00 | Dec 18, 2025 | A reflected cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts in the administration interface. Attackers can exploit this vulnerability to execute arbitrary scripts within the administrative context. | |||
| CVE-2022-50686 | 0.00 | — | 0.00 | Dec 18, 2025 | An information disclosure vulnerability in Kentico Xperience allows attackers to view sensitive stack trace details via Portal Engine form control error messages. Detailed error messages can expose internal system information and potentially reveal implementation details to… | |||
| CVE-2022-50685 | 0.00 | — | 0.00 | Dec 18, 2025 | A stored cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts via XML file uploads as page attachments or metafiles. Attackers can upload malicious XML files that enable stored XSS, allowing malicious scripts to execute… | |||
| CVE-2022-50684 | 0.00 | — | 0.00 | Dec 18, 2025 | An HTML injection vulnerability in Kentico Xperience allows attackers to inject malicious HTML values into form submission emails via unencoded form fields. Unencoded form values could enable HTML content execution in recipient email clients, potentially compromising email… | |||
| CVE-2022-50683 | 0.00 | — | 0.00 | Dec 18, 2025 | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form redirect URL configuration. This allows malicious scripts to execute in users' browsers through unvalidated form configuration settings. |
- risk 0.59cvss 7.2epss 0.04
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to…
- risk 0.19cvss —epss 0.92
An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server defined None type. Authentication bypass allows an attacker to control administrative objects.This issue affects…
- risk 0.19cvss —epss 0.58
An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames in digest authentication. Authentication bypass allows an attacker to control administrative objects.This issue affects…
- CVE-2025-32370Apr 6, 2025risk 0.03cvss —epss 0.01
Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed through TryZipProviderSafe, there is additional functionality to create files with other extensions. NOTE: this is a…
- CVE-2025-5591Jan 5, 2026risk 0.00cvss —epss 0.00
Kentico Xperience 13 is vulnerable to a stored cross-site scripting attack via a form component, allowing an attacker to hijack a victim user’s session and perform actions in their security context.
- CVE-2024-58323Dec 18, 2025risk 0.00cvss —epss 0.00
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Checkbox form component. This allows malicious scripts to execute in users' browsers by exploiting HTML support in the form builder.
- CVE-2024-58322Dec 18, 2025risk 0.00cvss —epss 0.00
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious code into shipping options configuration. This could lead to potential theft of sensitive data by executing malicious scripts in users' browsers.
- CVE-2024-58321Dec 18, 2025risk 0.00cvss —epss 0.00
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form validation rule configuration. Attackers can exploit this vulnerability to execute malicious scripts that will run in users' browsers.
- CVE-2024-58320Dec 18, 2025risk 0.00cvss —epss 0.00
An information disclosure vulnerability in Kentico Xperience allows public users to access sensitive administration interface hostname details during authentication. Attackers can retrieve confidential hostname configuration information through a public endpoint, potentially…
- CVE-2024-58319Dec 18, 2025risk 0.00cvss —epss 0.00
A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Pages dashboard widget configuration dialog. Attackers can exploit this vulnerability to execute malicious scripts in administrative users' browsers.
- CVE-2024-58318Dec 18, 2025risk 0.00cvss —epss 0.00
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the rich text editor component for page and form builders. Attackers can exploit this vulnerability by entering malicious URIs, potentially allowing malicious…
- CVE-2024-58317Dec 18, 2025risk 0.00cvss —epss 0.00
A cookie security configuration vulnerability in Kentico Xperience allows attackers to bypass SSL requirements when setting administration cookies via web.config. The vulnerability affects .NET Framework projects by incorrectly handling the 'requireSSL' attribute, potentially…
- CVE-2023-53934Dec 18, 2025risk 0.00cvss —epss 0.00
A denial of service vulnerability in Kentico Xperience allows attackers to launch DoS attacks via specially crafted requests to the GetResource handler. Improper input validation enables remote attackers to potentially disrupt service availability through maliciously constructed…
- CVE-2023-53738Dec 18, 2025risk 0.00cvss —epss 0.00
A reflected cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts via page preview URLs. Attackers can exploit this vulnerability to execute arbitrary scripts in users' browsers during page preview interactions.
- CVE-2023-53737Dec 18, 2025risk 0.00cvss —epss 0.00
A stored cross-site scripting vulnerability in Kentico Xperience allows global administrators to inject malicious payloads via the Localization application. Attackers can execute scripts that could affect multiple parts of the administration interface.
- CVE-2023-53736Dec 18, 2025risk 0.00cvss —epss 0.00
A reflected cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts in the administration interface. Attackers can exploit this vulnerability to execute arbitrary scripts within the administrative context.
- CVE-2022-50686Dec 18, 2025risk 0.00cvss —epss 0.00
An information disclosure vulnerability in Kentico Xperience allows attackers to view sensitive stack trace details via Portal Engine form control error messages. Detailed error messages can expose internal system information and potentially reveal implementation details to…
- CVE-2022-50685Dec 18, 2025risk 0.00cvss —epss 0.00
A stored cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts via XML file uploads as page attachments or metafiles. Attackers can upload malicious XML files that enable stored XSS, allowing malicious scripts to execute…
- CVE-2022-50684Dec 18, 2025risk 0.00cvss —epss 0.00
An HTML injection vulnerability in Kentico Xperience allows attackers to inject malicious HTML values into form submission emails via unencoded form fields. Unencoded form values could enable HTML content execution in recipient email clients, potentially compromising email…
- CVE-2022-50683Dec 18, 2025risk 0.00cvss —epss 0.00
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form redirect URL configuration. This allows malicious scripts to execute in users' browsers through unvalidated form configuration settings.
Page 1 of 2