|ID||CVSS||Summary||Last (major) update||Published|
An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass
|01-04-2019 - 13:52||26-03-2019 - 18:29|
Kentico before 12.0.50 allows file uploads in which the Content-Type header is inconsistent with the file extension, leading to XSS.
|02-12-2019 - 13:37||02-12-2019 - 03:15|
** DISPUTED ** Kentico v10.0.42 allows Global Administrators to read the cleartext SMTP Password by navigating to the SMTP configuration page. NOTE: the vendor considers this a best-practice violation but not a vulnerability. The vendor plans to fix
|21-02-2019 - 19:31||08-02-2019 - 05:29|
** DISPUTED ** Kentico 11 through 12 lets attackers upload and explore files without authentication via the cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabs_media.aspx URI. NOTE: The vendor disputes the report because the re
|10-10-2019 - 12:09||22-05-2019 - 15:29|
Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attackers to obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard.
|03-10-2019 - 00:03||23-03-2018 - 15:29|
Kentico CMS before 11.0.45 allows unrestricted upload of a file with a dangerous type.
|11-04-2019 - 16:06||10-04-2019 - 21:29|
** DISPUTED ** Kentico 9.0 through 11.0 has a stack-based buffer overflow via the SqlName, SqlPswd, Database, UserName, or Password field in a SilentInstall XML document. NOTE: the vendor disputes this issue because neither a buffer overflow nor a cr
|01-02-2018 - 18:35||08-01-2018 - 09:29|
Kentico 10 before 10.0.50 and 11 before 11.0.3 has XSS in which a crafted URL results in improper construction of a system page.
|12-04-2018 - 12:26||19-03-2018 - 14:29|
Kentico 10 before 10.0.50 and 11 before 11.0.3 has SQL injection in the administration interface.
|12-04-2018 - 13:09||19-03-2018 - 14:29|
** DISPUTED ** Arbitrary code execution vulnerability in Kentico 9 through 11 allows remote authenticated users to execute arbitrary operating system commands in a dynamic .NET code evaluation context via C# code in a "Pages -> Edit -> Template -> Ed
|28-02-2019 - 20:29||20-02-2018 - 15:29|
|26-03-2019 - 18:40||20-02-2018 - 15:29|
Multiple cross-site scripting (XSS) vulnerabilities in Kentico CMS 8.2 allow remote attackers to inject arbitrary web script or HTML via a (1) parameter name to CMSModules/AdminControls/Pages/UIPage.aspx or the (2) CMSBodyClass cookie variable to the
|22-10-2015 - 19:51||21-10-2015 - 15:59|
Open redirect vulnerability in CMSPages/GetDocLink.ashx in Kentico CMS 8.2 through 8.2.41 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the link parameter. <a href="http://cwe.mitre.org/dat
|23-10-2015 - 12:48||21-10-2015 - 15:59|