CVE-2020-36890
BaseFortify
Publication date: 2025-12-18
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kentico | xperience | to 12.0.60 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-36890 is an access control bypass vulnerability in Kentico Xperience (up to version 12.0.60) that allows attackers who already have administrator privileges to bypass normal access controls. This enables them to modify global administrator user privileges through unauthorized requests, potentially compromising global administrator accounts and invalidating security-sensitive macros by manipulating user privilege levels. [1]
How can this vulnerability impact me? :
This vulnerability can lead to a serious security breach where attackers can escalate privileges by modifying global administrator accounts. This could result in full compromise of the system's highest-level accounts and the invalidation of security-sensitive macros, potentially allowing attackers to control or disrupt the affected Kentico Xperience environment. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should apply the official hotfixes provided by Kentico DevNet for versions up to 12.0.60. Additionally, restrict administrator privileges to trusted users only, monitor for unauthorized privilege modification attempts, and review access control policies to ensure no unauthorized requests can modify global administrator privileges. [1]