9.8

CVE-2019-10068

Warnung
Exploit
An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
KenticoXperience Version >= 9.0.0 <= 9.0.51
KenticoXperience Version >= 10.0.0 < 10.0.52
KenticoXperience Version >= 11.0.0 < 11.0.48
KenticoXperience Version >= 12.0.0 < 12.0.15

25.03.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Kentico Xperience Deserialization of Untrusted Data Vulnerability

Schwachstelle

Kentico contains a failure to validate security headers. This deserialization can led to unauthenticated remote code execution.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 96.03% 0.999
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

http://packetstormsecurity.com/files/157588/Kentico-CMS-12.0.14-Remote-Command-Execution.html
Third Party Advisory
Exploit
VDB Entry
https://devnet.kentico.com/download/hotfixes#securityBugs-v12
Vendor Advisory
Release Notes
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10068
US Government Resource