Vulnerability Description
Kentico 11 through 12 lets attackers upload and explore files without authentication via the cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabs_media.aspx URI. NOTE: The vendor disputes the report because the researcher did not configure the media library permissions correctly. The vendor states that by default all users can read/modify/upload files, and it’s up to the administrator to decide who should have access to the media library and set the permissions accordingly. See the vendor documentation in the references for more information
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kentico | Xperience | >= 11.0.0, <= 12.0 |
Related Weaknesses (CWE)
References
- https://devnet.kentico.com/download/hotfixesVendor Advisory
- https://docs.kentico.com/k12/configuring-kentico/configuring-the-environment-for
- https://docs.kentico.com/k12/release-notes-kentico-12Release NotesVendor Advisory
- https://github.com/Gr4y21/My-CVE-IDs/blob/master/Kentico%20CMS%20UnauthenticatedBroken Link
- https://devnet.kentico.com/download/hotfixesVendor Advisory
- https://docs.kentico.com/k12/configuring-kentico/configuring-the-environment-for
- https://docs.kentico.com/k12/release-notes-kentico-12Release NotesVendor Advisory
- https://github.com/Gr4y21/My-CVE-IDs/blob/master/Kentico%20CMS%20UnauthenticatedBroken Link
FAQ
What is CVE-2019-12102?
CVE-2019-12102 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Kentico 11 through 12 lets attackers upload and explore files without authentication via the cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabs_media.aspx URI. NOTE: The vendor...
How severe is CVE-2019-12102?
CVE-2019-12102 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-12102?
Check the references section above for vendor advisories and patch information. Affected products include: Kentico Xperience.