CVE-2022-50684
BaseFortify
Publication date: 2025-12-18
Last updated on: 2025-12-27
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kentico | xperience | to 13.0.71 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2022-50684 is an HTML injection vulnerability in Kentico Xperience (up to version 13.0.71) that allows attackers to inject malicious HTML content into form submission emails via unencoded form fields. This happens because the input is not properly neutralized during web page generation, enabling execution of HTML content within recipient email clients and potentially compromising email security. [1]
How can this vulnerability impact me? :
This vulnerability can lead to execution of malicious HTML content in the email clients of recipients who receive form submission emails from Kentico Xperience. This could compromise email security by enabling phishing, malicious script execution, or other attacks that exploit the injected HTML content. [1]
What immediate steps should I take to mitigate this vulnerability?
Apply the hotfix provided by Kentico DevNet for versions up to and including 13.0.71 to address the HTML injection vulnerability in form submission emails. Additionally, ensure that form fields are properly encoded to neutralize input and prevent injection of malicious HTML content. [1]