CVE-2018-7205

Name of the Vulnerable Software and Affected Versions Kentico versions 9 through 11

Description A Reflected Cross-Site Scripting issue allows remote attackers to execute malicious JavaScript via a malicious devicename parameter in a link entered through specific screens, including "Pages -> Edit template properties -> Device Layouts -> Create device layout (and edit created device layout) -> Design". The vendor notes this functionality is intended for authorized users to edit and update ascx code layout.

Recommendations For Kentico versions 9 through 11, consider restricting access to the "Design" feature on "Edit device layout" to minimize the risk of exploitation, and avoid using the devicename parameter in links until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.