CVE-2018-7046

Name of the Vulnerable Software and Affected Versions Kentico versions 9 through 11

Description The issue allows remote authenticated users to execute arbitrary operating system commands in a dynamic .NET code evaluation context via C# code in a "Pages -> Edit -> Template -> Edit template properties -> Layout" box. The vendor has noted that there is intended functionality for authorized users to edit and update ascx code layout.

Recommendations For Kentico versions 9 through 11, consider restricting access to the "Pages -> Edit -> Template -> Edit template properties -> Layout" box to minimize the risk of exploitation, as the vendor has indicated the functionality is intended for authorized users. At the moment, there is no information about a newer version that contains a fix for this vulnerability.