CVE-2024-58317
BaseFortify
Publication date: 2025-12-18
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kentico | xperience | to 13.0.164 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-614 | The Secure attribute for sensitive cookies in HTTPS sessions is not set. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Kentico Xperience involves improper handling of the 'requireSSL' attribute in the web.config file for .NET Framework projects. It allows attackers to bypass SSL requirements when setting administration cookies, causing sensitive session and authentication cookies to be transmitted without the 'Secure' attribute over non-HTTPS connections. This can expose these cookies to interception and compromise session security. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows sensitive session cookies to be transmitted without the 'Secure' attribute over non-HTTPS connections, potentially exposing authentication states and session security. This exposure of sensitive data could lead to non-compliance with standards and regulations such as GDPR and HIPAA, which require protection of personal and sensitive information during transmission. However, specific impacts on compliance are not detailed in the provided resources. [1]
How can this vulnerability impact me? :
The vulnerability can lead to exposure of sensitive session cookies by allowing them to be sent over unencrypted connections. This can result in attackers intercepting these cookies, potentially compromising session security and authentication states, which may allow unauthorized access to administrative functions. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the web.config file in Kentico Xperience .NET Framework projects to check the configuration of the 'requireSSL' attribute for administration cookies. Specifically, verify if the 'requireSSL' attribute is set correctly to enforce the 'Secure' flag on cookies. Additionally, network traffic can be monitored to detect if administration cookies are being transmitted over non-HTTPS connections, indicating the absence of the 'Secure' attribute. Commands to assist in detection include using tools like 'grep' or 'findstr' to search for 'requireSSL' in web.config files, for example: 'grep -i requireSSL web.config' on Linux or 'findstr /i requireSSL web.config' on Windows. Network packet capture tools like Wireshark or tcpdump can be used to inspect HTTP traffic for cookies sent without the Secure flag. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the hotfix provided by Kentico DevNet that addresses the improper handling of the 'requireSSL' attribute in the web.config file. Until the hotfix is applied, ensure that the 'requireSSL' attribute is explicitly set to true for administration cookies in the web.config to enforce the Secure flag, preventing cookies from being sent over non-HTTPS connections. Additionally, enforce HTTPS across the entire site to reduce the risk of cookie interception. [1]