CVE-2022-50685
📋 TL;DR
This stored cross-site scripting vulnerability in Kentico Xperience allows authenticated users to upload malicious XML files as page attachments or metafiles, which then execute malicious scripts in other users' browsers when accessed. It affects Kentico Xperience installations with file upload functionality enabled, requiring attacker authentication but posing risk to all users who view the malicious content.
💻 Affected Systems
- Kentico Xperience
📦 What is this software?
Xperience by Kentico
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deploy malware to users' systems through browser exploitation.
Likely Case
Session hijacking, credential theft, or defacement of web pages through injected content affecting users who access the malicious XML files.
If Mitigated
Limited impact with proper input validation and output encoding, potentially only affecting users with specific browser configurations or extensions.
🎯 Exploit Status
Exploitation requires authenticated user access; attackers need to upload malicious XML files and have victims access them
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Kentico hotfixes for specific version
Vendor Advisory: https://devnet.kentico.com/download/hotfixes
Restart Required: Yes
Instructions:
1. Access Kentico DevNet hotfix portal 2. Download appropriate hotfix for your version 3. Apply hotfix following vendor instructions 4. Restart application/services 5. Verify fix implementation
🔧 Temporary Workarounds
Disable XML file uploads
allRestrict file uploads to exclude XML file types in Kentico Xperience configuration
Modify web.config or application settings to restrict allowed upload file extensions
Implement input validation
allAdd server-side validation to sanitize XML file content before processing
Implement custom validation handlers for file upload endpoints
🧯 If You Can't Patch
- Implement web application firewall rules to block malicious XML upload patterns
- Restrict file upload permissions to trusted users only and monitor upload activities
🔍 How to Verify
Check if Vulnerable:
Test by uploading XML file with script payload as authenticated user and checking if script executes when file is accessedCheck Version:
Check Kentico administration interface or application files for version informationVerify Fix Applied:
Attempt same test after patch application; script should be sanitized or blocked📡 Detection & Monitoring
Log Indicators:
- Unusual XML file uploads
- Multiple failed upload attempts
- Uploads from unexpected user accounts
Network Indicators:
- HTTP POST requests with XML file uploads to Kentico endpoints
- Unusual file size patterns for uploads
SIEM Query:
source="kentico_logs" AND (file_extension=".xml" OR content_type="text/xml") AND action="upload"