VYPR

Kenticocms

by Kentico

CVEs (17)

  • CVE-2019-10068CriKEVMar 26, 2019
    risk 0.86cvss 9.8epss 0.96

    An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication…

  • CVE-2017-17736CriMar 23, 2018
    risk 0.69cvss 9.8epss 0.69

    Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attackers to obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard.

  • CVE-2021-27581CriMar 5, 2021
    risk 0.64cvss 9.8epss 0.02

    The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.

  • CVE-2019-12102CriMay 22, 2019
    risk 0.59cvss 9.1epss 0.02

    Kentico 11 through 12 lets attackers upload and explore files without authentication via the cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabs_media.aspx URI. NOTE: The vendor disputes the report because the researcher did not configure the media library…

  • CVE-2018-19453HigApr 10, 2019
    risk 0.57cvss 8.8epss 0.01

    Kentico CMS before 11.0.45 allows unrestricted upload of a file with a dangerous type.

  • CVE-2018-5282HigJan 8, 2018
    risk 0.54cvss 7.8epss 0.02

    Kentico 9.0 through 11.0 has a stack-based buffer overflow via the SqlName, SqlPswd, Database, UserName, or Password field in a SilentInstall XML document. NOTE: the vendor disputes this issue because neither a buffer overflow nor a crash can be reproduced; also, reading XML…

  • CVE-2022-32387HigJul 18, 2022
    risk 0.49cvss 7.5epss 0.01

    In Kentico before 13.0.66, attackers can achieve Denial of Service via a crafted request to the GetResource handler.

  • CVE-2019-6242HigFeb 8, 2019
    risk 0.47cvss 7.2epss 0.01

    Kentico v10.0.42 allows Global Administrators to read the cleartext SMTP Password by navigating to the SMTP configuration page. NOTE: the vendor considers this a best-practice violation but not a vulnerability. The vendor plans to fix it at a future time

  • CVE-2018-6843HigMar 19, 2018
    risk 0.47cvss 7.2epss 0.01

    Kentico 10 before 10.0.50 and 11 before 11.0.3 has SQL injection in the administration interface.

  • CVE-2018-7046HigFeb 20, 2018
    risk 0.47cvss 7.2epss 0.06

    Arbitrary code execution vulnerability in Kentico 9 through 11 allows remote authenticated users to execute arbitrary operating system commands in a dynamic .NET code evaluation context via C# code in a "Pages -> Edit -> Template -> Edit template properties -> Layout" box. …

  • CVE-2020-24794MedSep 9, 2020
    risk 0.40cvss 6.1epss 0.01

    Cross Site Scripting (XSS) vulnerability in Kentico before 12.0.75.

  • CVE-2019-19493MedDec 2, 2019
    risk 0.38cvss 5.4epss 0.02

    Kentico before 12.0.50 allows file uploads in which the Content-Type header is inconsistent with the file extension, leading to XSS.

  • CVE-2018-6842MedMar 19, 2018
    risk 0.35cvss 5.4epss 0.01

    Kentico 10 before 10.0.50 and 11 before 11.0.3 has XSS in which a crafted URL results in improper construction of a system page.

  • CVE-2024-12907MedJan 2, 2025
    risk 0.34cvss epss 0.00

    Kentico CMS in version 7 is vulnerable to a Reflected XSS attacks through manipulation of a specific GET request parameter sent to /CMSMessages/AccessDenied.aspx endpoint. Notably, support for this version of Kentico ended in 2016. Version 8 was tested as well and does not…

  • CVE-2018-7205MedFeb 20, 2018
    risk 0.31cvss 4.8epss 0.01

    Reflected Cross-Site Scripting vulnerability in "Design" on "Edit device layout" in Kentico 9 through 11 allows remote attackers to execute malicious JavaScript via a malicious devicename parameter in a link that is entered via the "Pages -> Edit template properties -> Device…

  • CVE-2015-7823Oct 21, 2015
    risk 0.00cvss epss 0.05

    Open redirect vulnerability in CMSPages/GetDocLink.ashx in Kentico CMS 8.2 through 8.2.41 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the link parameter.

  • CVE-2015-7822Oct 21, 2015
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Kentico CMS 8.2 allow remote attackers to inject arbitrary web script or HTML via a (1) parameter name to CMSModules/AdminControls/Pages/UIPage.aspx or the (2) CMSBodyClass cookie variable to the default URI.