Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Issue title: Authenticated SQL Injection
Description
Some pages in Kentico's administration interface built SQL queries from
user-controlled input in an unsafe manner. Users need specific permissions to
access these pages. However, potential attackers could trick an authenticated
user with sufficient permissions into clicking a malicious link in order to
achieve arbitrary SQL code execution. 
Details
    Vulnerability type: SQL injection
    Security risk: Critical
    Found in version(s): 10.0, 11.0
    Fixed in version: 10.0.50, 11.0.3
    Reported date: 09/Jan/18
    Fixed date: 12/Jan/18
    Reported by: Zakaria Amous (Secureworks)
Issue title: Authenticated Reflected Cross-Site Scripting
Description
User-controlled input was reflected back into a system page without proper
sanitization. Potential attackers could trick victims into visiting a malicious
link, which resulted in arbitrary JavaScript execution in the application's
context.
Details
    Vulnerability type: Reflected Cross-site scripting (XSS)
    Security risk: Major
    Found in version(s): 10.0, 11.0
    Fixed in version: 10.0.50, 11.0.3
    Reported date: 09/Jan/18
    Fixed date: 12/Jan/18
    Reported by: Zakaria Amous (Secureworks)
Recommendation
Install the latest hotfix. You can download the latest hotfix from the Download section on the DevNet portal.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.