Kentico CMS 8.2.x < 8.2.41 Open Redirect

medium Web App Scanning Plugin ID 98995

Language:

Synopsis

Kentico CMS 8.2.x < 8.2.41 Open Redirect

Description

Kentico CMS is a common ASP.NET Content Management System (CMS) used for building websites and online stores.

Kentico CMS versions 8.2.x before 8.2.41 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the link parameter.

Solution

Upgrade at least to patched version 8.2.41.

See Also

http://devnet.kentico.com/download/hotfixes

https://packetstormsecurity.com/files/133981/Kentico-CMS-8.2-Cross-Site-Scripting-Open-Redirect.html

Plugin Details

Severity: Medium

ID: 98995

Type: remote

Family: Component Vulnerability

Published: 4/3/2020

Updated: 1/3/2024

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2015-7823

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS Score Source: CVE-2015-7823

Vulnerability Information

CPE: cpe:2.3:a:kentico:kentico_cms:8.2:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

CVE: CVE-2015-7823

CWE: 601

OWASP: 2010-A10, 2013-A10, 2013-A9, 2017-A9, 2021-A1, 2021-A6

WASC: URL Redirector Abuse

DISA STIG: APSC-DV-002560, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b, sp800_53-SI-10

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.1.5

PCI-DSS: 3.2-6.2, 3.2-6.5.8