CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2019-6242
https://notcve.org/view.php?id=CVE-2019-6242
08 Feb 2019 — Kentico v10.0.42 allows Global Administrators to read the cleartext SMTP Password by navigating to the SMTP configuration page. NOTE: the vendor considers this a best-practice violation but not a vulnerability. The vendor plans to fix it at a future time ** EN DISPUTA ** Kentico v10.0.42 permite que los administradores globales lean la contraseña SMTP en texto claro navegando a la página de configuración de SMTP. NOTA: el fabricante considera que esto es una violación de las buenas prácticas, pero no una vu... • https://gist.github.com/boatpavaris/cff51e52a96fdde8215f71a3315703c2 • CWE-522: Insufficiently Protected Credentials •
CVSS: 9.8EPSS: 84%CPEs: 2EXPL: 2CVE-2017-17736
https://notcve.org/view.php?id=CVE-2017-17736
23 Mar 2018 — Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attackers to obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard. **RECHAZADA** NO USAR ESTE NÜMERO DE CANDIDATO. ConsultIDs: ninguna. Motivo: Este candidato estaba en un grupo de CNA que no estaba asignado a ningún problema durante 2017. Notas: ninguna. • https://github.com/0xSojalSec/Nuclei-TemplatesNuclei-Templates-CVE-2017-17736 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2018-6842
https://notcve.org/view.php?id=CVE-2018-6842
19 Mar 2018 — Kentico 10 before 10.0.50 and 11 before 11.0.3 has XSS in which a crafted URL results in improper construction of a system page. Kentico 10, en versiones anteriores a la 10.0.50 y versiones 11 anteriores a la 11.0.3, tiene Cross-Site Scripting (XSS) por el cual una URL manipulada resulta en la construcción indevida de una página de sistema. • https://gist.github.com/zamous/c0afd7e21f3111de873c7bef6dcd9dd7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2018-6843
https://notcve.org/view.php?id=CVE-2018-6843
19 Mar 2018 — Kentico 10 before 10.0.50 and 11 before 11.0.3 has SQL injection in the administration interface. Kentico 10, en versiones anteriores a la 10.0.50 y versiones 11 anteriores a la 11.0.3, tiene inyección SQL en la interfaz de administración. • https://gist.github.com/zamous/c0afd7e21f3111de873c7bef6dcd9dd7 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 2CVE-2018-7046 – Kentico CMS 11 Arbitrary Code Execution
https://notcve.org/view.php?id=CVE-2018-7046
19 Feb 2018 — Arbitrary code execution vulnerability in Kentico 9 through 11 allows remote authenticated users to execute arbitrary operating system commands in a dynamic .NET code evaluation context via C# code in a "Pages -> Edit -> Template -> Edit template properties -> Layout" box. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout ** EN DISPUTA ** Vulnerabilidad de ejecución de código arbitrario en Kentico, de la versión 9 a la 11, permite qu... • https://packetstorm.news/files/id/146474 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 2CVE-2018-7205 – Kentico CMS 11 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-7205
19 Feb 2018 — Reflected Cross-Site Scripting vulnerability in "Design" on "Edit device layout" in Kentico 9 through 11 allows remote attackers to execute malicious JavaScript via a malicious devicename parameter in a link that is entered via the "Pages -> Edit template properties -> Device Layouts -> Create device layout (and edit created device layout) -> Design" screens. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout ** EN DISPUTA ** Vulnerab... • https://packetstorm.news/files/id/146475 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 3CVE-2018-5282 – Kentico CMS 11.0 - Buffer Overflow
https://notcve.org/view.php?id=CVE-2018-5282
08 Jan 2018 — Kentico 9.0 through 11.0 has a stack-based buffer overflow via the SqlName, SqlPswd, Database, UserName, or Password field in a SilentInstall XML document. NOTE: the vendor disputes this issue because neither a buffer overflow nor a crash can be reproduced; also, reading XML documents is implemented exclusively with managed code within the Microsoft .NET Framework ** EN DISPUTA ** Kentico 9.0 hasta la versión 11.0 tiene un desbordamiento de búfer basado en pila mediante los campos SqlName, SqlPswd, Database... • https://packetstorm.news/files/id/145868 • CWE-787: Out-of-bounds Write •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2015-7822 – Kentico CMS 8.2 Cross Site Scripting / Open Redirect
https://notcve.org/view.php?id=CVE-2015-7822
15 Oct 2015 — Multiple cross-site scripting (XSS) vulnerabilities in Kentico CMS 8.2 allow remote attackers to inject arbitrary web script or HTML via a (1) parameter name to CMSModules/AdminControls/Pages/UIPage.aspx or the (2) CMSBodyClass cookie variable to the default URI. Múltiples vulnerabilidades de XSS en Kentico CMS 8.2 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de (1) un nombre de parámetro en CMSModules/AdminControls/Pages/UIPage.aspx o (2) variable cookie CMSB... • https://packetstorm.news/files/id/133981 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 27%CPEs: 1EXPL: 2CVE-2015-7823 – Kentico CMS 8.2 Cross Site Scripting / Open Redirect
https://notcve.org/view.php?id=CVE-2015-7823
15 Oct 2015 — Open redirect vulnerability in CMSPages/GetDocLink.ashx in Kentico CMS 8.2 through 8.2.41 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the link parameter. Vulnerabilidad de redirección abierta en CMSPages/GetDocLink.ashx en Kentico CMS 8.2 hasta la versión 8.2.41 permite a atacantes remotos redirigir a usuarios a páginas web arbitrarias y llevar a cabo ataques de phishing a través de una URL en el parámetro link. Kentico CMS version 8.2 suffers f... • https://packetstorm.news/files/id/133981 •