CVE-2024-58323
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-18

Last updated on: 2025-12-27

Assigner: VulnCheck

Description
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Checkbox form component. This allows malicious scripts to execute in users' browsers by exploiting HTML support in the form builder.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-27
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2024-58323
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kentico xperience to 13.0.158 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2024-58323 is a stored cross-site scripting (XSS) vulnerability in Kentico Xperience, specifically in the Checkbox form component. Attackers can inject malicious scripts via this component because it improperly neutralizes input that supports HTML in the form builder. These malicious scripts are stored and later executed in the browsers of users who view the affected forms, leading to unauthorized script execution. [1]

Impact Analysis

This vulnerability can lead to unauthorized execution of malicious scripts in users' browsers when they interact with affected forms. This can result in potential compromise of user data, session hijacking, or other malicious actions performed by the attacker through the executed scripts. The impact is considered medium severity with low confidentiality and integrity impact, and no availability impact. [1]

Detection Guidance

Detection involves identifying if your Kentico Xperience installation is using a vulnerable version (up to and including 13.0.158) and if the Checkbox form component is in use. Since the vulnerability is a stored XSS via the Checkbox form component that supports HTML input, you can check for suspicious or unexpected HTML/script content in form inputs or stored form data. Specific commands are not provided in the resources, but general approaches include reviewing form component configurations and scanning stored form data for script tags or suspicious HTML. Additionally, monitoring HTTP traffic for injected scripts in form submissions or responses may help detect exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to apply the hotfix provided by Kentico DevNet that addresses this vulnerability. Until the patch is applied, avoid using the Checkbox form component with HTML input enabled or restrict user input to prevent script injection. Additionally, review and sanitize all inputs in forms to neutralize malicious scripts and consider implementing web application firewall (WAF) rules to block typical XSS attack patterns targeting the Checkbox form component. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-58323. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart