CVE-2019-25228
BaseFortify
Publication date: 2025-12-18
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kentico | xperience | to 12.0.47 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-497 | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows sensitive virtual context information to be exposed to unauthorized external domains, which could lead to information disclosure. Such exposure of sensitive information may impact compliance with data protection regulations like GDPR or HIPAA, as it involves unauthorized leakage of potentially sensitive data. However, specific compliance impacts are not detailed in the provided resources. [1]
Can you explain this vulnerability to me?
CVE-2019-25228 is an information disclosure vulnerability in Kentico Xperience (up to version 12.0.47) that allows attackers to leak sensitive virtual context URLs via the HTTP Referer header. This happens when users interact with third-party domains, such as during page builder interactions or when loading links or images. As a result, sensitive virtual context information can be exposed to unauthorized external domains. [1]
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of sensitive virtual context information to unauthorized external domains. Attackers can exploit this to gain insights into internal URLs or context that should remain private, potentially aiding further attacks or information gathering. However, it does not impact system integrity, availability, or confidentiality directly, and requires user interaction to be exploited. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP Referer headers in network traffic for leakage of sensitive virtual context URLs when users interact with third-party domains. You can use network traffic analysis tools such as Wireshark or tcpdump to capture HTTP requests and inspect the Referer headers for suspicious or sensitive virtual context information. For example, using tcpdump: tcpdump -i <interface> -A 'tcp port 80' | grep 'Referer'. Additionally, web server logs can be analyzed for Referer headers containing unexpected virtual context URLs. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the hotfix provided by Kentico DevNet for affected Kentico Xperience versions up to and including 12.0.47. Until the patch is applied, consider restricting or sanitizing the Referer header information sent to third-party domains to prevent leakage of sensitive virtual context URLs. Additionally, review and limit user interactions with third-party domains that may trigger the vulnerability. [1]