Kentico CMS 9.0-12.0.49 Cross Site Scripting

2020.10.13
Credit: Ataberk Yavuzer
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2019-19493
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: Kentico CMS 9.0-12.0.49 - Persistent Cross Site Scripting # Exploit Author: Ataberk YAVUZER # CVE: CVE-2019-19493 # Type: Webapps # Vendor Homepage: https://www.kentico.com/ # Version: 9.0-12.0.49 # Date: 29-11-2019 #CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2019-19493 Details Persistent Cross Site Scripting vulnerability has been found on the Admin/User Panel. Kentico before 12.0.50 allows file uploads in which the Content-Type header is inconsistent with the file extension, leading to XSS. # Steps to reproduce 1. Log in to Kentico Admin Panel with your credentials. 2. Browse to Profile Page. 3. Click to "Browse" button on Avatar section. 4. Select "avatar.svg" file which can be found on below. 5. Intercept the request before clicking to save button. 6. Change file name to "avatar.svg.png" and send the request. (MimeType needs to be "image/xml+svg") 7. Kentico will generate an avatar link: " http://example.kentico.com/admin/CMSPages/GetAvatar.aspx?avatarguid=<generated_avatar_uid>" Send that link to another user. 8. An alert with cookie values will pop up. #Content of the avatar.svg: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.cookie)"/>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top