QID 730179

QID 730179: Kentico CMS Simple Object Access Protocol (SOAP) Deserialization Vulnerability

Kentico CMS is a web content management system for building websites, online stores, intranets, and Web 2.0 community sites. Kentico CMS uses ASP.NET and Microsoft SQL Server for development via its Portal Engine, using Visual Studio, or through Microsoft MVC.

Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to deserialize user-controlled .NET object input.

Affected Versions: Kentico 12.0.x prior to 12.0.15
Kentico 11.0.x prior to 11.0.48
Kentico 10.0.x prior to 10.0.52
Kentico 9.x versions

QID Detection Logic (Unauthenticated):
This QID checks for vulnerable version of Kentico CMS by sending a POST request containing a serialized XML encoded SOAP message to /CMSPages/Staging/SyncServer.asmx/ProcessSynchronizationTaskData endpoint.

The deserialization vulnerability can led to unauthenticated remote code execution on the server where the Kentico instance is hosted.

  • CVSS V3 rated as Critical - 9.8 severity.
  • CVSS V2 rated as High - 7.5 severity.
    • Solution
    Vendor has released hotfix addressing the CVE, for more information please check here.

    Vendor References

    CVEs related to QID 730179

    CVE-2019-10068 |
    Software Advisories
    Advisory ID Software Component Link
    NA URL Logo devnet.kentico.com/download/hotfixes#securityBugs-v12
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].