Platform
php
Component
kentico-cms
Opgelost in
13.0.179
CVE-2025-2878 is a cross-site scripting (XSS) vulnerability affecting Kentico CMS versions up to 13.0.178. This vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. The affected component is the Additional Database Installation Wizard, specifically the /CMSInstall/install.aspx endpoint. A fix is available in version 13.0.179.
Successful exploitation of CVE-2025-2878 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to the theft of sensitive information, such as session cookies, authentication tokens, and personally identifiable information (PII). An attacker could also redirect users to malicious websites, deface the website, or perform actions on behalf of the user. The vulnerability's remote accessibility significantly broadens the potential attack surface, making it a concern for any deployment of Kentico CMS within the affected version range.
CVE-2025-2878 was publicly disclosed on March 27, 2025. No public proof-of-concept (PoC) code has been identified at the time of writing. The CVSS score of 2.4 indicates a low probability of exploitation, but the ease of exploitation if a PoC is developed warrants attention. It is not currently listed on the CISA KEV catalog.
Organizations utilizing Kentico CMS version 13.0.178 and earlier are at risk. This includes websites and applications built on Kentico CMS, particularly those with publicly accessible installation or database setup interfaces. Shared hosting environments using Kentico CMS are also at increased risk due to potential vulnerabilities in the shared infrastructure.
• web: Use curl to test the /CMSInstall/install.aspx endpoint with a crafted payload containing a <script> tag. Examine the response for evidence of script execution.
curl -X POST -d "new database=<script>alert('XSS')</script>" https://your-kentico-cms/CMSInstall/install.aspx• generic web: Monitor access logs for requests to /CMSInstall/install.aspx containing suspicious characters or patterns indicative of XSS attempts.
• php: Review Kentico CMS application code for instances where user-supplied input is directly rendered without proper sanitization, particularly within the /CMSInstall/install.aspx file.
disclosure
Exploit Status
EPSS
0.18% (40% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-2878 is to upgrade Kentico CMS to version 13.0.179 or later, which contains the fix. If immediate upgrading is not feasible, consider implementing input validation and sanitization on the 'new database' parameter within the /CMSInstall/install.aspx endpoint. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this specific endpoint can also provide a temporary layer of protection. Thoroughly review and test any configuration changes before deploying them to a production environment.
Actualice Kentico CMS a la versión 13.0.179 o superior. Esta actualización corrige la vulnerabilidad de Cross-Site Scripting (XSS) en el Additional Database Installation Wizard. Se recomienda realizar la actualización lo antes posible para evitar posibles ataques.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-2878 is a cross-site scripting (XSS) vulnerability affecting Kentico CMS versions up to 13.0.178, allowing attackers to inject malicious scripts.
You are affected if you are running Kentico CMS version 13.0.178 or earlier. Upgrade to 13.0.179 or later to mitigate the risk.
Upgrade Kentico CMS to version 13.0.179 or later. Consider input validation and WAF rules as temporary mitigations.
No active exploitation has been confirmed at this time, but a PoC could change this.
Refer to the Kentico CMS security advisory for detailed information and updates: [https://www.kentico.com/security/advisories](https://www.kentico.com/security/advisories)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.