The exploit involves uploading a ZIP file containing a malicious SVG file to achieve Cross Site Scripting (XSS) on Kentico Xperience version before 13.0.178. The malicious SVG file triggers an alert box when executed.
The vulnerability exists due to insufficient sanitization of user-supplied data in Kentico CMS. An attacker can exploit this issue by injecting arbitrary script code in the browser of a victim user, potentially leading to the theft of authentication credentials and other attacks.
Persistent Cross Site Scripting vulnerability has been found on the Admin/User Panel. Kentico before 12.0.50 allows file uploads in which the Content-Type header is inconsistent with the file extension, leading to XSS.
Services By CQR