CVE-2022-50684 – This HTML injection vulnerability in Kentico Xp... (How to Fix)

Q: What is the severity of CVE-2022-50684?

CVE-2022-50684 has a CVSS score of 6.1 (MEDIUM). This HTML injection vulnerability in Kentico Xperience allows attackers to inject malicious HTML content into form submission emails by submitting unencoded values in form fields. When administrators or other recipients view these emails, the HTML content executes in their email clients, potentially enabling phishing attacks or client-side attacks. Organizations using Kentico Xperience with form email functionality are affected.

📋 TL;DR

This HTML injection vulnerability in Kentico Xperience allows attackers to inject malicious HTML content into form submission emails by submitting unencoded values in form fields. When administrators or other recipients view these emails, the HTML content executes in their email clients, potentially enabling phishing attacks or client-side attacks. Organizations using Kentico Xperience with form email functionality are affected.

💻 Affected Systems

Products:

Kentico Xperience

Versions: Versions prior to hotfix installation

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using form submission email functionality. The vulnerability exists in how form field values are processed for email generation.

📦 What is this software?

Xperience by Kentico

View all CVEs affecting Xperience →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute malicious scripts in administrators' email clients, leading to credential theft, session hijacking, or malware installation through client-side attacks.

🟠

Likely Case

Attackers inject phishing content or malicious links into form emails, tricking recipients into revealing credentials or visiting malicious sites.

🟢

If Mitigated

With proper input validation and output encoding, malicious HTML is rendered as plain text rather than executed code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only form submission access, which is typically public-facing. HTML injection attacks are well-understood and easy to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Hotfix available via Kentico DevNet

Vendor Advisory: https://devnet.kentico.com/download/hotfixes

Restart Required: Yes

Instructions:

1. Download the hotfix from Kentico DevNet. 2. Apply the hotfix to your Kentico Xperience installation. 3. Restart the application. 4. Test form submission functionality.

🔧 Temporary Workarounds

Implement Input Validation and Output Encoding

all

Add server-side validation to sanitize form inputs and ensure proper HTML encoding before including values in emails.

Disable Form Email Functionality

all

Temporarily disable email notifications from form submissions until patching is complete.

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block HTML injection patterns in form submissions
Configure email clients to display emails in plain text mode only

🔍 How to Verify

Check if Vulnerable:

Submit a form with HTML content in fields (e.g., <script>alert('test')</script>) and check if the email received executes the HTML.

Check Version:

Check Kentico administration interface or web.config for version information

Verify Fix Applied:

After applying the hotfix, test form submissions with HTML content to confirm it's properly encoded in emails.

📡 Detection & Monitoring

Log Indicators:

Unusual form submissions containing HTML tags or script elements
Multiple form submissions from single IP addresses

Network Indicators:

HTTP POST requests to form endpoints containing HTML/script content

SIEM Query:

source="web_server" AND (method="POST" AND (uri_path="/form-submission" OR uri_path="/contact")) AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2022-50684

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (11.1th percentile)

Published: December 18, 2025

Last Updated: December 27, 2025

🔗 References

https://devnet.kentico.com/download/hotfixes Product
https://www.vulncheck.com/advisories/kentico-xperience-form-emails-html-injection Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-50684, you might also want to check these: