The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This issue affects Kentico Xperience through 13.0.178.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Mon, 22 Sep 2025 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:*

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.01065}

epss

{'score': 0.00863}


Mon, 24 Mar 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 24 Mar 2025 18:30:00 +0000

Type Values Removed Values Added
Description The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This issue affects Kentico Xperience through 13.0.178.
Title Kentico Xperience stored cross-site scripting in multiple-file upload functionality
Weaknesses CWE-434
CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2025-03-24T18:34:07.933Z

Reserved: 2025-03-24T16:39:15.399Z

Link: CVE-2025-2748

cve-icon Vulnrichment

Updated: 2025-03-24T18:34:01.445Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-24T19:15:52.270

Modified: 2025-09-22T18:51:01.330

Link: CVE-2025-2748

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-12T15:26:07Z