Plattform
php
Komponente
kentico-cms
Behoben in
13.0.179
CVE-2025-2878 is a cross-site scripting (XSS) vulnerability affecting Kentico CMS versions up to 13.0.178. This vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. The affected component is the Additional Database Installation Wizard, specifically the /CMSInstall/install.aspx endpoint. A fix is available in version 13.0.179.
Successful exploitation of CVE-2025-2878 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to the theft of sensitive information, such as session cookies, authentication tokens, and personally identifiable information (PII). An attacker could also redirect users to malicious websites, deface the website, or perform actions on behalf of the user. The vulnerability's remote accessibility significantly broadens the potential attack surface, making it a concern for any deployment of Kentico CMS within the affected version range.
CVE-2025-2878 was publicly disclosed on March 27, 2025. No public proof-of-concept (PoC) code has been identified at the time of writing. The CVSS score of 2.4 indicates a low probability of exploitation, but the ease of exploitation if a PoC is developed warrants attention. It is not currently listed on the CISA KEV catalog.
Organizations utilizing Kentico CMS version 13.0.178 and earlier are at risk. This includes websites and applications built on Kentico CMS, particularly those with publicly accessible installation or database setup interfaces. Shared hosting environments using Kentico CMS are also at increased risk due to potential vulnerabilities in the shared infrastructure.
• web: Use curl to test the /CMSInstall/install.aspx endpoint with a crafted payload containing a <script> tag. Examine the response for evidence of script execution.
curl -X POST -d "new database=<script>alert('XSS')</script>" https://your-kentico-cms/CMSInstall/install.aspx• generic web: Monitor access logs for requests to /CMSInstall/install.aspx containing suspicious characters or patterns indicative of XSS attempts.
• php: Review Kentico CMS application code for instances where user-supplied input is directly rendered without proper sanitization, particularly within the /CMSInstall/install.aspx file.
disclosure
Exploit-Status
EPSS
0.18% (40% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-2878 is to upgrade Kentico CMS to version 13.0.179 or later, which contains the fix. If immediate upgrading is not feasible, consider implementing input validation and sanitization on the 'new database' parameter within the /CMSInstall/install.aspx endpoint. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this specific endpoint can also provide a temporary layer of protection. Thoroughly review and test any configuration changes before deploying them to a production environment.
Aktualisieren Sie Kentico CMS auf Version 13.0.179 oder höher. Dieses Update behebt die Cross-Site Scripting (XSS) Schwachstelle im Additional Database Installation Wizard. Es wird empfohlen, das Update so bald wie möglich durchzuführen, um mögliche Angriffe zu vermeiden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-2878 is a cross-site scripting (XSS) vulnerability affecting Kentico CMS versions up to 13.0.178, allowing attackers to inject malicious scripts.
You are affected if you are running Kentico CMS version 13.0.178 or earlier. Upgrade to 13.0.179 or later to mitigate the risk.
Upgrade Kentico CMS to version 13.0.179 or later. Consider input validation and WAF rules as temporary mitigations.
No active exploitation has been confirmed at this time, but a PoC could change this.
Refer to the Kentico CMS security advisory for detailed information and updates: [https://www.kentico.com/security/advisories](https://www.kentico.com/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.