CVE-2024-58317
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-18

Last updated on: 2025-12-24

Assigner: VulnCheck

Description
A cookie security configuration vulnerability in Kentico Xperience allows attackers to bypass SSL requirements when setting administration cookies via web.config. The vulnerability affects .NET Framework projects by incorrectly handling the 'requireSSL' attribute, potentially compromising session security and authentication state.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2024-58317
EUVD
EUVD-2025-204336
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kentico xperience to 13.0.164 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-614 The Secure attribute for sensitive cookies in HTTPS sessions is not set.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Kentico Xperience involves improper handling of the 'requireSSL' attribute in the web.config file for .NET Framework projects. It allows attackers to bypass SSL requirements when setting administration cookies, causing sensitive session and authentication cookies to be transmitted without the 'Secure' attribute over non-HTTPS connections. This can expose these cookies to interception and compromise session security. [1]

Impact Analysis

The vulnerability can lead to exposure of sensitive session cookies by allowing them to be sent over unencrypted connections. This can result in attackers intercepting these cookies, potentially compromising session security and authentication states, which may allow unauthorized access to administrative functions. [1]

Detection Guidance

This vulnerability can be detected by inspecting the web.config file in Kentico Xperience .NET Framework projects to check the configuration of the 'requireSSL' attribute for administration cookies. Specifically, verify if the 'requireSSL' attribute is set correctly to enforce the 'Secure' flag on cookies. Additionally, network traffic can be monitored to detect if administration cookies are being transmitted over non-HTTPS connections, indicating the absence of the 'Secure' attribute. Commands to assist in detection include using tools like 'grep' or 'findstr' to search for 'requireSSL' in web.config files, for example: 'grep -i requireSSL web.config' on Linux or 'findstr /i requireSSL web.config' on Windows. Network packet capture tools like Wireshark or tcpdump can be used to inspect HTTP traffic for cookies sent without the Secure flag. [1]

Mitigation Strategies

Immediate mitigation steps include applying the hotfix provided by Kentico DevNet that addresses the improper handling of the 'requireSSL' attribute in the web.config file. Until the hotfix is applied, ensure that the 'requireSSL' attribute is explicitly set to true for administration cookies in the web.config to enforce the Secure flag, preventing cookies from being sent over non-HTTPS connections. Additionally, enforce HTTPS across the entire site to reduce the risk of cookie interception. [1]

Compliance Impact

The vulnerability allows sensitive session cookies to be transmitted without the 'Secure' attribute over non-HTTPS connections, potentially exposing authentication states and session security. This exposure of sensitive data could lead to non-compliance with standards and regulations such as GDPR and HIPAA, which require protection of personal and sensitive information during transmission. However, specific impacts on compliance are not detailed in the provided resources. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-58317. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart