A vulnerability classified as critical was found in Kentico CMS up to 12.0.14 (Content Management System). This vulnerability affects an unknown part of the component Security Header Validation. The manipulation as part of a Request leads to a deserialization vulnerability. The CWE definition for the vulnerability is CWE-502. The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

An issue was discovered in Kentico before 12.0.15. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted.

The bug was discovered 03/26/2019. The weakness was released 03/26/2019. This vulnerability was named CVE-2019-10068 since 03/26/2019. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details are unknown but an exploit is available.

It is declared as highly functional. This issue was added on 03/25/2022 to the CISA Known Exploited Vulnerabilities Catalog with a due date of 04/15/2022:

Apply updates per vendor instructions.

Upgrading to version 12.0.15 eliminates this vulnerability.

Productinfo

Type

• Content Management System

Vendor

• Kentico

Name

• CMS

Version

• 12.0.0
• 12.0.1
• 12.0.2
• 12.0.3
• 12.0.4
• 12.0.5
• 12.0.6
• 12.0.7
• 12.0.8
• 12.0.9
• 12.0.10
• 12.0.11
• 12.0.12
• 12.0.13
• 12.0.14

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion