CVE-2024-58322
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-18

Last updated on: 2025-12-27

Assigner: VulnCheck

Description
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious code into shipping options configuration. This could lead to potential theft of sensitive data by executing malicious scripts in users' browsers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-27
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2024-58322
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kentico xperience to 13.0.158 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability could lead to the theft of sensitive data by executing malicious scripts in users' browsers, which may impact compliance with data protection regulations such as GDPR and HIPAA by potentially exposing personal or sensitive information. However, specific compliance implications are not detailed in the provided resources. [1]

Executive Summary

CVE-2024-58322 is a stored cross-site scripting (XSS) vulnerability in Kentico Xperience up to version 13.0.158. It occurs because the application does not properly neutralize input in the shipping options configuration, allowing attackers to inject malicious scripts. These scripts are stored and later executed in the browsers of users who access the affected shipping options, potentially compromising their security. [1]

Impact Analysis

This vulnerability can lead to the theft of sensitive data by executing malicious scripts in users' browsers. Attackers can exploit the stored XSS to run scripts that may steal cookies, session tokens, or other sensitive information, potentially leading to unauthorized access or data breaches. The CVSS score indicates a medium severity with low impact on confidentiality, integrity, and availability, but user interaction is required for exploitation. [1]

Detection Guidance

Detection of this vulnerability involves checking if your Kentico Xperience installation is running a vulnerable version (up to and including 13.0.158) and inspecting the shipping options configuration for injected malicious scripts. Since this is a stored XSS vulnerability, you can look for suspicious script tags or encoded JavaScript in the shipping options configuration data. There are no specific commands provided in the resources, but you can use web application scanning tools or manual inspection of the shipping options configuration in the admin interface. Additionally, monitoring HTTP traffic for unusual script payloads targeting the shipping options pages may help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include applying the hotfix provided by Kentico DevNet that addresses this stored XSS vulnerability. Until the patch is applied, restrict access to the shipping options configuration to trusted users only, and educate users to avoid interacting with suspicious links or inputs. Additionally, implement input validation and output encoding where possible to reduce the risk of script injection. Monitoring and logging access to the affected configuration can also help detect exploitation attempts. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-58322. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart