CVE-2025-2748
📋 TL;DR
Kentico Xperience has a stored cross-site scripting (XSS) vulnerability in its multiple-file upload functionality that allows attackers to upload malicious files containing JavaScript. When other users access these files, their browsers execute the malicious code. This affects all Kentico Xperience installations through version 13.0.178.
💻 Affected Systems
- Kentico Xperience
📦 What is this software?
Xperience by Kentico
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over admin accounts, deface websites, or redirect users to malicious sites, potentially leading to complete system compromise.
Likely Case
Attackers upload malicious files that execute JavaScript in victims' browsers, allowing session hijacking, credential theft, or unauthorized actions on behalf of authenticated users.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized, preventing execution while still allowing legitimate file uploads.
🎯 Exploit Status
Exploitation requires the ability to upload files, which typically requires some level of access. The XSS payload would execute when other users access the uploaded files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Hotfix available from Kentico DevNet
Vendor Advisory: https://devnet.kentico.com/download/hotfixes
Restart Required: Yes
Instructions:
1. Download the hotfix from Kentico DevNet. 2. Apply the hotfix to your Kentico Xperience installation. 3. Restart the application. 4. Test file upload functionality to ensure proper validation.
🔧 Temporary Workarounds
Disable Multiple-File Upload
allTemporarily disable the vulnerable multiple-file upload functionality until patching is complete.
Modify Kentico configuration to disable multiple-file upload feature
Implement File Type Restrictions
allConfigure the application to only allow specific safe file types and implement server-side validation.
Configure file upload restrictions in web.config or application settings
🧯 If You Can't Patch
- Implement strict file type validation and content filtering on all upload endpoints
- Enable Content Security Policy (CSP) headers to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Test file upload functionality by attempting to upload files containing JavaScript payloads and checking if they execute when accessed.Check Version:
Check Kentico Xperience version in administration interface or via the application's version fileVerify Fix Applied:
After applying the hotfix, test file uploads with malicious content to ensure proper validation and filtering occurs.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload patterns
- Multiple failed upload attempts with suspicious filenames
- Files with JavaScript content being uploaded
Network Indicators:
- HTTP POST requests to upload endpoints with suspicious content
- File uploads containing script tags or JavaScript code
SIEM Query:
source="web_server" AND (method="POST" AND uri="*upload*" AND (content="<script>" OR content="javascript:"))