CVE-2024-58320
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-18

Last updated on: 2025-12-24

Assigner: VulnCheck

Description
An information disclosure vulnerability in Kentico Xperience allows public users to access sensitive administration interface hostname details during authentication. Attackers can retrieve confidential hostname configuration information through a public endpoint, potentially exposing internal network details.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2024-58320
EUVD
EUVD-2025-204346
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kentico xperience to 13.0.159 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include applying the hotfix referenced by Kentico DevNet that addresses this vulnerability. Additionally, restricting access to the administration interface endpoints by network controls such as firewalls or IP whitelisting can reduce exposure. Monitoring and limiting public access to sensitive endpoints is also recommended until the patch is applied. [1]

Executive Summary

This vulnerability in Kentico Xperience allows unauthenticated public users to access sensitive hostname details of the administration interface during the authentication process. It occurs through a publicly accessible endpoint, exposing confidential internal network configuration information. This is an information disclosure issue classified under CWE-497, meaning sensitive system information is exposed to unauthorized users. [1]

Impact Analysis

The vulnerability can expose confidential internal network details to attackers without requiring any privileges or user interaction. This information disclosure could help attackers gather internal network configuration data, potentially facilitating further attacks against the system or network. [1]

Detection Guidance

This vulnerability can be detected by attempting to access the publicly accessible endpoint that exposes the administration interface hostname details without authentication. Specific commands are not provided in the resources, but a common approach would be to use tools like curl or wget to send requests to the suspected endpoint and analyze the response for sensitive hostname information. For example, a command like 'curl http://<target>/path-to-authentication-endpoint' could be used to check if sensitive information is disclosed. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-58320. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart