Vulnerabilities > Kentico
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-04-06 | CVE-2025-32370 | Unrestricted Upload of File with Dangerous Type vulnerability in Kentico Xperience Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed through TryZipProviderSafe, there is additional functionality to create files with other extensions. | 9.8 |
| 2025-04-06 | CVE-2025-32369 | Cross-site Scripting vulnerability in Kentico Xperience Kentico Xperience before 13.0.181 allows authenticated users to distribute malicious content (for stored XSS) via certain interactions with the media library file upload feature. | 5.4 |
| 2022-07-18 | CVE-2022-32387 | Unspecified vulnerability in Kentico In Kentico before 13.0.66, attackers can achieve Denial of Service via a crafted request to the GetResource handler. | 7.5 |
| 2022-04-16 | CVE-2022-29287 | Authorization Bypass Through User-Controlled Key vulnerability in Kentico Kentico CMS before 13.0.66 has an Insecure Direct Object Reference vulnerability. | 4.9 |
| 2022-01-10 | CVE-2021-46163 | Cross-site Scripting vulnerability in Kentico CMS 13.0.44 Kentico Xperience 13.0.44 allows XSS via an XML document to the Media Libraries subsystem. | 6.1 |
| 2021-12-03 | CVE-2021-43991 | Cross-site Scripting vulnerability in Kentico Xperience The Kentico Xperience CMS version 13.0 – 13.0.43 is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability (also known as Stored or Second-Order XSS). | 5.4 |
| 2021-03-05 | CVE-2021-27581 | SQL Injection vulnerability in Kentico CMS 5.5 The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter. | 9.8 |
| 2020-09-09 | CVE-2020-24794 | Cross-site Scripting vulnerability in Kentico Cross Site Scripting (XSS) vulnerability in Kentico before 12.0.75. | 6.1 |
| 2019-12-02 | CVE-2019-19493 | Use of Incorrectly-Resolved Name or Reference vulnerability in Kentico Kentico before 12.0.50 allows file uploads in which the Content-Type header is inconsistent with the file extension, leading to XSS. | 5.4 |
| 2019-05-22 | CVE-2019-12102 | Incorrect Permission Assignment for Critical Resource vulnerability in Kentico Kentico 11 through 12 lets attackers upload and explore files without authentication via the cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabs_media.aspx URI. | 9.1 |