CVE-2020-36889
BaseFortify
Publication date: 2025-12-18
Last updated on: 2025-12-27
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kentico | xperience | to 12.0.90 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-36889 is a stored cross-site scripting (XSS) vulnerability in Kentico Xperience versions up to 12.0.90. It occurs because error messages improperly neutralize input, allowing attackers to inject malicious scripts via specially crafted object names. When administrators view these error messages in the administration interface, the malicious scripts execute in their browsers. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts in the browsers of administrators who view the affected error messages. This could lead to unauthorized actions performed with administrator privileges, potential data theft, or compromise of the administration interface's integrity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring the Kentico Xperience administration interface for error messages containing suspicious or specially crafted object names that could indicate attempted XSS injection. Since the vulnerability manifests when administrators view error messages, reviewing logs or error outputs for unusual script tags or encoded payloads is recommended. Specific commands are not provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the relevant hotfixes provided by the Kentico Security Team to address the vulnerability. Additionally, restrict administrative access to trusted users only and educate administrators to avoid interacting with suspicious error messages until the patch is applied. [1]