9.1

CVE-2019-12102

EPSS 0.13%
Veröffentlicht 22.05.2019 15:29:03
Zuletzt bearbeitet 19.12.2025 20:47:25
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Kentico 11 through 12 lets attackers upload and explore files without authentication via the cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabs_media.aspx URI. NOTE: The vendor disputes the report because the researcher did not configure the media library permissions correctly. The vendor states that by default all users can read/modify/upload files, and it’s up to the administrator to decide who should have access to the media library and set the permissions accordingly. See the vendor documentation in the references for more information

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Kentico ≫ Xperience Version >= 11.0.0 <= 12.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.13%	0.323

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov	6.4	10	4.9	AV:N/AC:L/Au:N/C:P/I:P/A:N

CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

https://devnet.kentico.com/download/hotfixes

Vendor Advisory

https://docs.kentico.com/k12/configuring-kentico/configuring-the-environment-for-content-editors/configuring-media-libraries/assigning-permissions-to-media-libraries

https://docs.kentico.com/k12/release-notes-kentico-12

Vendor Advisory

Release Notes

https://github.com/Gr4y21/My-CVE-IDs/blob/master/Kentico%20CMS%20Unauthenticated%20File%20Upload%20and%20File%20Exposure

Broken Link

https://nvd.nist.gov/vuln/detail/CVE-2019-12102

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-12102

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-12102

EUVD