WEB APPLICATION VULNERABILITIES Standard & Premium

Kentico Staging API Authentication Bypass

Description

Kentico is an ASP.NET web content management system. The Staging API is used to replicate data between production and development systems.

Kentico Staging API contains an authentication bypass vulnerability that allows unauthenticated remote attackers to access sensitive functionality, potentially leading to complete server compromise.

Remediation

Upgrade to the latest version of Kentico

References

Bypassing Authentication Like It's The 90s - Pre-Auth RCE Chain(s) in Kentico Xperience CMS

Kentico Hotfixes

Related Vulnerabilities

Oracle HTTP Server Other Vulnerability (CVE-2007-0282)

Python Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2017-17522)

WordPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-17672)

Oracle JRE CVE-2013-5804 Vulnerability (CVE-2013-5804)

WordPress Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability (CVE-2022-3590)

Severity

Critical

Classification

CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Tags

Configuration Known Vulnerabilities Authentication Bypass