CVE-2023-53737 – A stored cross-site scripting vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2023-53737?

CVE-2023-53737 has a CVSS score of 4.8 (MEDIUM). A stored cross-site scripting vulnerability in Kentico Xperience allows global administrators to inject malicious scripts via the Localization application. This affects Kentico Xperience installations where administrators have access to the vulnerable interface. The injected scripts execute in the administration interface context, potentially affecting other administrators.

📋 TL;DR

A stored cross-site scripting vulnerability in Kentico Xperience allows global administrators to inject malicious scripts via the Localization application. This affects Kentico Xperience installations where administrators have access to the vulnerable interface. The injected scripts execute in the administration interface context, potentially affecting other administrators.

💻 Affected Systems

Products:

Kentico Xperience

Versions: Specific versions not detailed in references, but hotfixes available for multiple versions

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires global administrator access to Localization application. Affects both on-premises and cloud deployments.

📦 What is this software?

Xperience by Kentico

View all CVEs affecting Xperience →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious administrator could inject scripts that steal session cookies, perform actions as other administrators, or compromise the entire administration interface.

🟠

Likely Case

Privileged administrator could inject scripts affecting other administrators' sessions, leading to privilege escalation or data theft within the admin interface.

🟢

If Mitigated

Limited impact with proper administrator vetting and monitoring, though still allows admin-to-admin attacks.

🌐 Internet-Facing: MEDIUM - If admin interface is internet-accessible, attackers could exploit if they gain admin credentials.

🏢 Internal Only: MEDIUM - Requires admin access but allows lateral movement between admin accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Simple XSS payload injection once admin access obtained

Requires authenticated global administrator access. Exploitation is straightforward once credentials are compromised.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Hotfixes available for multiple versions via Kentico DevNet

Vendor Advisory: https://devnet.kentico.com/download/hotfixes

Restart Required: Yes

Instructions:

1. Download appropriate hotfix from Kentico DevNet. 2. Backup current installation. 3. Apply hotfix according to Kentico documentation. 4. Restart application/services. 5. Verify fix by testing Localization application.

🔧 Temporary Workarounds

Restrict Localization Access

all

Limit access to Localization application to only essential administrators

Input Validation

all

Implement additional input validation/sanitization for Localization fields

🧯 If You Can't Patch

Implement strict administrator access controls and monitoring
Deploy web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Test Localization application fields for XSS by attempting to inject script payloads as administrator

Check Version:

Check Kentico Xperience version in administration interface or web.config

Verify Fix Applied:

After patching, attempt same XSS payloads in Localization application - scripts should be sanitized/blocked

📡 Detection & Monitoring

Log Indicators:

Unusual Localization application activity
Multiple administrator login attempts
Suspicious script-like strings in localization data

Network Indicators:

Unexpected JavaScript execution in admin interface
Suspicious outbound connections from admin sessions

SIEM Query:

source="kentico" AND (event="localization_edit" OR event="admin_action") AND (message="*script*" OR message="*alert*" OR message="*onload*")

📊 Metadata

CVE ID: CVE-2023-53737

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (8.5th percentile)

Published: December 18, 2025

Last Updated: December 27, 2025

🔗 References

https://devnet.kentico.com/download/hotfixes Product
https://www.vulncheck.com/advisories/kentico-xperience-localization-application-stored-xss2 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-53737, you might also want to check these: