CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2878 – Kentico CMS Additional Database Installation Wizard install.aspx cross site scripting
https://notcve.org/view.php?id=CVE-2025-2878
27 Mar 2025 — A vulnerability was found in Kentico CMS up to 13.0.178. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /CMSInstall/install.aspx of the component Additional Database Installation Wizard. The manipulation of the argument new database leads to cross site scripting. The attack can be launched remotely. • https://devnet.kentico.com/download/hotfixes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12907 – XSS in Kentico 7
https://notcve.org/view.php?id=CVE-2024-12907
02 Jan 2025 — Kentico CMS in version 7 is vulnerable to a Reflected XSS attacks through manipulation of a specific GET request parameter sent to /CMSMessages/AccessDenied.aspx endpoint. Notably, support for this version of Kentico ended in 2016. Version 8 was tested as well and does not contain this vulnerability. Kentico CMS in version 7 is vulnerable to a Reflected XSS attacks through manipulation of a specific GET request parameter sent to /CMSMessages/AccessDenied.aspx endpoint. Notably, support for this version of K... • https://cert.pl/en/posts/2025/01/CVE-2024-12907 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-46163
https://notcve.org/view.php?id=CVE-2021-46163
09 Jan 2022 — Kentico Xperience 13.0.44 allows XSS via an XML document to the Media Libraries subsystem. Kentico Xperience versión 13.0.44, permite un ataque de tipo XSS por medio de un documento XML al subsistema de Bibliotecas de Medios • https://gist.github.com/boatpavaris/649e731b2398597634fbe423dcfd8485 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27581
https://notcve.org/view.php?id=CVE-2021-27581
05 Mar 2021 — The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter. El módulo Blog en Kentico CMS versiones 5.5 R2 build 5.5.3996, permite una inyección SQL por medio del parámetro tagname • https://gist.github.com/stasinopoulos/673ae3c31d703b4d67449f4d8888c686 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19453
https://notcve.org/view.php?id=CVE-2018-19453
10 Apr 2019 — Kentico CMS before 11.0.45 allows unrestricted upload of a file with a dangerous type. Kentico CMS versión anterior al 11.0.45 permite la carga sin restricciones de un archivo de tipo peligroso • https://blog.hivint.com/advisory-upload-malicious-file-in-kentico-cms-cve-2018-19453-36debbf85216 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 84%CPEs: 2EXPL: 2CVE-2017-17736
https://notcve.org/view.php?id=CVE-2017-17736
23 Mar 2018 — Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attackers to obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard. **RECHAZADA** NO USAR ESTE NÜMERO DE CANDIDATO. ConsultIDs: ninguna. Motivo: Este candidato estaba en un grupo de CNA que no estaba asignado a ningún problema durante 2017. Notas: ninguna. • https://github.com/0xSojalSec/Nuclei-TemplatesNuclei-Templates-CVE-2017-17736 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2018-6842
https://notcve.org/view.php?id=CVE-2018-6842
19 Mar 2018 — Kentico 10 before 10.0.50 and 11 before 11.0.3 has XSS in which a crafted URL results in improper construction of a system page. Kentico 10, en versiones anteriores a la 10.0.50 y versiones 11 anteriores a la 11.0.3, tiene Cross-Site Scripting (XSS) por el cual una URL manipulada resulta en la construcción indevida de una página de sistema. • https://gist.github.com/zamous/c0afd7e21f3111de873c7bef6dcd9dd7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2018-6843
https://notcve.org/view.php?id=CVE-2018-6843
19 Mar 2018 — Kentico 10 before 10.0.50 and 11 before 11.0.3 has SQL injection in the administration interface. Kentico 10, en versiones anteriores a la 10.0.50 y versiones 11 anteriores a la 11.0.3, tiene inyección SQL en la interfaz de administración. • https://gist.github.com/zamous/c0afd7e21f3111de873c7bef6dcd9dd7 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 2CVE-2018-7046 – Kentico CMS 11 Arbitrary Code Execution
https://notcve.org/view.php?id=CVE-2018-7046
19 Feb 2018 — Arbitrary code execution vulnerability in Kentico 9 through 11 allows remote authenticated users to execute arbitrary operating system commands in a dynamic .NET code evaluation context via C# code in a "Pages -> Edit -> Template -> Edit template properties -> Layout" box. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout ** EN DISPUTA ** Vulnerabilidad de ejecución de código arbitrario en Kentico, de la versión 9 a la 11, permite qu... • https://packetstorm.news/files/id/146474 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 2CVE-2018-7205 – Kentico CMS 11 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-7205
19 Feb 2018 — Reflected Cross-Site Scripting vulnerability in "Design" on "Edit device layout" in Kentico 9 through 11 allows remote attackers to execute malicious JavaScript via a malicious devicename parameter in a link that is entered via the "Pages -> Edit template properties -> Device Layouts -> Create device layout (and edit created device layout) -> Design" screens. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout ** EN DISPUTA ** Vulnerab... • https://packetstorm.news/files/id/146475 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •