CVE-2024-12907

Name of the Vulnerable Software and Affected Versions Kentico CMS version 7

Description The issue is a Reflected XSS attack that occurs through the manipulation of a specific GET request parameter sent to the "/CMSMessages/AccessDenied.aspx" endpoint. Support for Kentico CMS version 7 ended in 2016. It is noted that version 8 does not contain this issue.

Recommendations For Kentico CMS version 7, as support has ended and this version is vulnerable, consider upgrading to a supported version to mitigate the risk. As a temporary workaround, consider restricting access to the "/CMSMessages/AccessDenied.aspx" endpoint until a more permanent solution can be applied. Avoid using the vulnerable GET request parameter in this endpoint to minimize the risk of exploitation.