Kentico CMS < 9.0.51 Cross-Site Scripting

medium Web App Scanning Plugin ID 98996

Language:

Synopsis

Kentico CMS < 9.0.51 Cross-Site Scripting

Description

Kentico CMS is a common ASP.NET Content Management System (CMS) used for building websites and online stores.

Kentico CMS versions before 9.0.51 allow remote attackers to inject arbitrary javascript or HTML content via the CMSBodyClass cookie variable.

Solution

Upgrade at least to patched version 9.0.51.

See Also

http://devnet.kentico.com/download/hotfixes

https://packetstormsecurity.com/files/133981/Kentico-CMS-8.2-Cross-Site-Scripting-Open-Redirect.html

Plugin Details

Severity: Medium

ID: 98996

Type: remote

Family: Component Vulnerability

Published: 4/3/2020

Updated: 1/3/2024

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2015-7822

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS Score Source: CVE-2015-7822

Vulnerability Information

CPE: cpe:2.3:a:kentico:kentico:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

CVE: CVE-2015-7822

CWE: 79

OWASP: 2010-A2, 2013-A3, 2013-A9, 2017-A7, 2017-A9, 2021-A3, 2021-A6

WASC: Cross-Site Scripting

CAPEC: 209, 588, 591, 592, 63, 85

DISA STIG: APSC-DV-002490, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b, sp800_53-SI-10

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.3.3

PCI-DSS: 3.2-6.2, 3.2-6.5.7