CVE-2019-25228
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-18

Last updated on: 2025-12-24

Assigner: VulnCheck

Description
An information disclosure vulnerability in Kentico Xperience allows attackers to leak virtual context URLs via the HTTP Referer header when users interact with third-party domains. Sensitive virtual context information can be exposed to external domains through page builder interactions and link/image loading.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25228
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kentico xperience to 12.0.47 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25228 is an information disclosure vulnerability in Kentico Xperience (up to version 12.0.47) that allows attackers to leak sensitive virtual context URLs via the HTTP Referer header. This happens when users interact with third-party domains, such as during page builder interactions or when loading links or images. As a result, sensitive virtual context information can be exposed to unauthorized external domains. [1]

Compliance Impact

The vulnerability allows sensitive virtual context information to be exposed to unauthorized external domains, which could lead to information disclosure. Such exposure of sensitive information may impact compliance with data protection regulations like GDPR or HIPAA, as it involves unauthorized leakage of potentially sensitive data. However, specific compliance impacts are not detailed in the provided resources. [1]

Impact Analysis

This vulnerability can lead to the exposure of sensitive virtual context information to unauthorized external domains. Attackers can exploit this to gain insights into internal URLs or context that should remain private, potentially aiding further attacks or information gathering. However, it does not impact system integrity, availability, or confidentiality directly, and requires user interaction to be exploited. [1]

Detection Guidance

This vulnerability can be detected by monitoring HTTP Referer headers in network traffic for leakage of sensitive virtual context URLs when users interact with third-party domains. You can use network traffic analysis tools such as Wireshark or tcpdump to capture HTTP requests and inspect the Referer headers for suspicious or sensitive virtual context information. For example, using tcpdump: tcpdump -i <interface> -A 'tcp port 80' | grep 'Referer'. Additionally, web server logs can be analyzed for Referer headers containing unexpected virtual context URLs. [1]

Mitigation Strategies

Immediate mitigation steps include applying the hotfix provided by Kentico DevNet for affected Kentico Xperience versions up to and including 12.0.47. Until the patch is applied, consider restricting or sanitizing the Referer header information sent to third-party domains to prevent leakage of sensitive virtual context URLs. Additionally, review and limit user interactions with third-party domains that may trigger the vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25228. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart