Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Kentico Xperience allows XSS via an XML document to the Media Libraries subsystem.
Advisories for Nuget/Kentico.Libraries package
2022
2021
SQL Injection
The Blog module in Kentico CMS R2 build allows SQL injection via the tagname parameter.
2019
Unrestricted Upload of File with Dangerous Type
Kentico CMS allows unrestricted upload of a file with a dangerous type.
2018
Direct Request ('Forced Browsing')
Kentico allows remote attackers to obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Kentico has SQL injection in the administration interface.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Kentico has XSS in which a crafted URL results in improper construction of a system page.
2015
Open Redirect
Open redirect vulnerability in CMSPages/GetDocLink.ashx in Kentico CMS allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the link parameter.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in Kentico CMS allow remote attackers to inject arbitrary web script or HTML via a (1) parameter name to CMSModules/AdminControls/Pages/UIPage.aspx or the (2) CMSBodyClass cookie variable to the default URI.