CVE-2019-12102

Name of the Vulnerable Software and Affected Versions Kentico versions 11 through 12

Description The issue allows attackers to upload and explore files without authentication via the "cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabs media.aspx" URI. However, the vendor disputes this report, stating that the media library permissions were not configured correctly by the researcher. By default, all users can read, modify, and upload files, and it is up to the administrator to decide who should have access to the media library and set the permissions accordingly.

Recommendations For Kentico versions 11 through 12, ensure that the media library permissions are configured correctly to restrict access to authorized users. Administrators should review and set the permissions according to their requirements to prevent unauthorized file uploads and exploration.