1. Home
  2. CVE Database
  3. CVE-2018-7205
MEDIUM · 4.8

CVE-2018-7205

Reflected Cross-Site Scripting vulnerability in "Design" on "Edit device layout" in Kentico 9 through 11 allows remote attackers to execute malicious JavaScript via a malicious devicename parameter in...

Vulnerability Description

Reflected Cross-Site Scripting vulnerability in "Design" on "Edit device layout" in Kentico 9 through 11 allows remote attackers to execute malicious JavaScript via a malicious devicename parameter in a link that is entered via the "Pages -> Edit template properties -> Device Layouts -> Create device layout (and edit created device layout) -> Design" screens. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout

CVSS Score

4.8

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
KenticoXperience>= 9.0, <= 11.0

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2018-7205?

CVE-2018-7205 is a vulnerability with a CVSS score of 4.8 (MEDIUM). Reflected Cross-Site Scripting vulnerability in "Design" on "Edit device layout" in Kentico 9 through 11 allows remote attackers to execute malicious JavaScript via a malicious devicename parameter in...

How severe is CVE-2018-7205?

CVE-2018-7205 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-7205?

Check the references section above for vendor advisories and patch information. Affected products include: Kentico Xperience.