CVE-2024-12907: Reflected XSS Attack in Kentico CMS Version 7 via GET Request Parameter

Kentico is a popular Content Management System (CMS) platform that allows website owners to manage, publish, and edit their content online. However, recent investigations have identified a security vulnerability (CVE-2024-12907) in version 7 of the software, which allows attackers to execute a Reflected XSS attack via manipulation of a specific GET request parameter. This vulnerability poses a threat to both website owners and their users, and must be addressed. Support for Kentico v7 has officially ended since 2016, making the management of this vulnerability crucial for website administrators.

Body

Reflected XSS Attack Overview
The CVE-2024-12907 vulnerability in Kentico CMS version 7 (v7) allows attackers to launch a Reflected XSS attack. By exploiting this bug, attackers can manipulate a specific GET request parameter sent to the /CMSMessages/AccessDenied.aspx endpoint, which can inject malicious scripts into a user's browser. When a user visits a compromised web page, the malicious code will be executed, potentially causing harm or allowing unauthorized access to sensitive information.

Code Snippet

The code snippet below demonstrates an example of how an attacker can manipulate the GET request parameter 'ReturnUrl' to inject a malicious script:

GET /CMSMessages/AccessDenied.aspx?ReturnUrl=%3c/script%3e%22onerror=%22alert(1)%22%3E HTTP/1.1
Host: targetsite.com
User-Agent: Mozilla/5. (Windows NT 10.; Win64; x64; rv:89.) Gecko/20100101 Firefox/89.
Accept: text/html,application/xhtml+xml,application/xml;q=.9,image/webp,*/*;q=.8
Accept-Language: en-US,en;q=.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

This vulnerability has been documented in the following sources

1. Kentico Support: https://devnet.kentico.com/support
2. National Vulnerability Database (NIST): https://nvd.nist.gov/vuln/detail/CVE-2024-12907
3. XSS exploit explained on OWASP’s website: https://owasp.org/www-community/attacks/xss/

Notably, Kentico CMS v7 is no longer supported, meaning it does not receive security updates or patches. To protect their websites and users, administrators are advised to migrate to a more recent version of Kentico CMS. It is worth noting that this specific vulnerability was not found in Kentico version 8 during testing.

Exploit Details

The CVE-2024-12907 vulnerability can be exploited by attackers to gain unauthorized access to a user's account or steal sensitive data, such as login credentials, personal information, or other private data. Immediate action is needed to avoid security breaches or other malicious activities.

Conclusion

CVE-2024-12907 is a dangerous vulnerability present in Kentico CMS v7 that allows for Reflected XSS attacks through the manipulation of a GET request parameter sent to the /CMSMessages/AccessDenied.aspx endpoint. Given that this version of the software is no longer supported, it is vital for administrators to upgrade and migrate to a more recent, secure version. This will help to protect websites and their users from potential harm caused by attackers exploiting this vulnerability.

Timeline

Published on: 01/02/2025 16:15:07 UTC