CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2019-10068

Known Exploited (CISA KEV)CRITICAL
9.8
CVSS Severity Score
EPSS Score64.4810%
EPSS Percentile87.13th
Published2019年3月26日
Last Modified2025年12月19日

Vulnerability Description

An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted.

Affected Platforms (CPE)

📦
Kentico

Xperience

>= 9.0.0 and <= 9.0.51
📦
Kentico

Xperience

>= 10.0.0 and < 10.0.52
📦
Kentico

Xperience

>= 11.0.0 and < 11.0.48
📦
Kentico

Xperience

>= 12.0.0 and < 12.0.15

References & Advisories

🔗 http://packetstormsecurity.com/files/157588/Kentico-CMS-12.0.14-Remote-Command-Execution.html
🔗 https://devnet.kentico.com/download/hotfixes#securityBugs-v12
🔗 http://packetstormsecurity.com/files/157588/Kentico-CMS-12.0.14-Remote-Command-Execution.html
🔗 https://devnet.kentico.com/download/hotfixes#securityBugs-v12
🔗 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10068

相關漏洞威脅

CVE-2025-27499.1

Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload a...

CVE-2021-477118.8

A SQL injection vulnerability in Kentico Xperience allows authenticated editors to inject malicious SQL queries via online marketi...

CVE-2019-252298.8

An unrestricted file upload vulnerability in Kentico Xperience allows authenticated users with 'Read data' permissions to upload a...

CVE-2021-477127.5

A cryptography vulnerability in Kentico Xperience allows attackers to potentially manipulate URL hash values through existing hash...